[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta



On 04/03/2016 20:33, Quanah Gibson-Mount wrote:

Then I modified the ldif file in order to create the meta-DB and its
sub-DBs
containing the URIs of the target servers (if I correctly understood):

     version: 1

     dn: olcDatabase={3}meta,cn=config
     objectClass: olcDatabaseConfig
     objectClass: olcMetaConfig
     olcDatabase: {3}meta
     olcSuffix: dc=loc1,dc=root
     olcSuffix: dc=loc2,dc=root
     olcSuffix: dc=loc3,dc=root

I've never used meta backend, but the above doesn't look valid to me (multiple suffixes). The man page shows a single suffix, with URI directives for additional representations of the DB.

[OMISSIS]
The slapd-meta test suit shows an additional parameter, mode=self, being set. That may or may not help. ;)


Hello,

I performed further testing but I have no good news :(

about the multiple "olcSuffix" I'm inserting into the "olcDatabase={3}meta" (I don't know where I'm supposed to put multiple entries of the olcSuffix except the olcDatabase since it is an attribute of olcDatabaseConfig objectclass), I configured the meta backend with just one DB suffix and just one target, in order to keep it easy and avoid, as much as possible, my configuration mistakes. I believe this is the configuration I would have been supposed to
do in order to properly configure the slapd-/ldap/ backend (?).

Moreover, although I tried both "mode=self", "mode=none" and "authzID="dn:cn=admin,dc=loc1,dc=root"" (and "flags=non-prescriptive" too, while without the "authzID" of course), the result is the same.

Logs from the slapd-meta equipped server report (I'm simply trying to directly access the admin dn):

Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCH base="cn=admin,dc=loc1,dc=root" scope=0 deref=0 filter="(objectClass=*)" Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCH attr=hasSubordinates objectClass Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 meta_search_dobind_init[0] mc=0x7175f3e8: non-empty dn with empty cred; binding anonymously Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text=

and from the target server:

Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 ACCEPT from IP=10.0.x.55:51909 (IP=10.0.y.85:389) Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 BIND dn="cn=admin,dc=loc1,dc=root" method=128 Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=1 UNBIND
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed

thus the target server refuses unauthenticated bind and closes the connection (as it is configured to do so).


Moreover, if I try to put double quotes around the "binddn" directive it seems that slapd-meta doesn't recognize at all the dn I'm trying to use to bind to the target, and the target server's log reports:

Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 fd=58 ACCEPT from IP=10.0.x.55:49353 (IP=10.0.y.85:389)
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 BIND dn="" method=128
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 RESULT tag=97 err=0 text= Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 SEARCH RESULT tag=101 err=123 nentries=0 text=anonymous proxied authorization not allowed Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 do_search: get_ctrls failed

Just to be complete, this is (one of) the configurations I'm trying:

dn: olcMetaSub={0}uri
objectClass: olcConfig
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
olcDbURI: "ldap://server01.loc1.root/dc=loc1,dc=root";
olcDbIDAssertBind: mode=self bindmethod=simple binddn=cn=admin,dc=loc1,dc=root credentials=xxxxxxx starttls=no authzID="dn:cn=admin,dc=loc1,dc=root"

while the rest of the configuration stayed the same as the one from my first mail.



At this point I'm really stuck and the only thing I can think of it is the presence of a bug somewhere into slapd-meta, since the behaviour doesn't reflect the configuration on, somehow simple, parameters.

Is there anybody having the same issues?
Is it still my fault on configuration?

I really don't know where to put my hands on...

Thanks for support


--
Fr3ddie
/fr3ddie@fr3ddie.it <mailto:fr3ddie@fr3ddie.it>/

A computer is like an air conditioner:
it stops working when you open Windows