[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd-meta
- To: Quanah Gibson-Mount <quanah@zimbra.com>, openldap-technical@openldap.org
- Subject: Re: slapd-meta
- From: Fr3ddie <fr3ddie@fr3ddie.it>
- Date: Thu, 10 Mar 2016 10:15:10 +0100
- In-reply-to: <17B77E63A550B0A71E0A961C@[192.168.1.9]>
- Organization: fr3ddie.it
- References: <5641CFB9.6030405@fr3ddie.it> <564B6A78.8000206@fr3ddie.it> <B86DF74A3A67FB202276375E@[192.168.1.9]> <56D5DE23.6060809@fr3ddie.it> <17B77E63A550B0A71E0A961C@[192.168.1.9]>
- User-agent: Fr3ddie's Thunderbird on Linux
On 04/03/2016 20:33, Quanah Gibson-Mount wrote:
Then I modified the ldif file in order to create the meta-DB and its
sub-DBs
containing the URIs of the target servers (if I correctly understood):
version: 1
dn: olcDatabase={3}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {3}meta
olcSuffix: dc=loc1,dc=root
olcSuffix: dc=loc2,dc=root
olcSuffix: dc=loc3,dc=root
I've never used meta backend, but the above doesn't look valid to me
(multiple suffixes). The man page shows a single suffix, with URI
directives for additional representations of the DB.
[OMISSIS]
The slapd-meta test suit shows an additional parameter, mode=self,
being set. That may or may not help. ;)
Hello,
I performed further testing but I have no good news :(
about the multiple "olcSuffix" I'm inserting into the
"olcDatabase={3}meta" (I don't know where I'm supposed to put
multiple entries of the olcSuffix except the olcDatabase since it is an
attribute of olcDatabaseConfig objectclass),
I configured the meta backend with just one DB suffix and just one
target, in order to keep it easy and avoid,
as much as possible, my configuration mistakes. I believe this is the
configuration I would have been supposed to
do in order to properly configure the slapd-/ldap/ backend (?).
Moreover, although I tried both "mode=self", "mode=none" and
"authzID="dn:cn=admin,dc=loc1,dc=root""
(and "flags=non-prescriptive" too, while without the "authzID" of
course), the result is the same.
Logs from the slapd-meta equipped server report (I'm simply trying to
directly access the admin dn):
Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCH
base="cn=admin,dc=loc1,dc=root" scope=0 deref=0 filter="(objectClass=*)"
Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SRCH
attr=hasSubordinates objectClass
Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11
meta_search_dobind_init[0] mc=0x7175f3e8: non-empty dn with empty cred;
binding anonymously
Mar 4 19:50:59 server01 slapd[28946]: conn=1160 op=11 SEARCH RESULT
tag=101 err=0 nentries=0 text=
and from the target server:
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 ACCEPT from
IP=10.0.x.55:51909 (IP=10.0.y.85:389)
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 BIND
dn="cn=admin,dc=loc1,dc=root" method=128
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=0 RESULT tag=97
err=53 text=unauthenticated bind (DN with no password) disallowed
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 op=1 UNBIND
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed
Mar 4 19:50:59 server-tgt slapd[31090]: conn=1728 fd=59 closed
thus the target server refuses unauthenticated bind and closes the
connection (as it is configured to do so).
Moreover, if I try to put double quotes around the "binddn" directive it
seems that slapd-meta doesn't recognize at all
the dn I'm trying to use to bind to the target, and the target server's
log reports:
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 fd=58 ACCEPT from
IP=10.0.x.55:49353 (IP=10.0.y.85:389)
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 BIND dn="" method=128
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=0 RESULT tag=97
err=0 text=
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 SEARCH RESULT
tag=101 err=123 nentries=0 text=anonymous proxied authorization not allowed
Mar 4 19:31:58 server-tgt slapd[31090]: conn=1094 op=1 do_search:
get_ctrls failed
Just to be complete, this is (one of) the configurations I'm trying:
dn: olcMetaSub={0}uri
objectClass: olcConfig
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
olcDbURI: "ldap://server01.loc1.root/dc=loc1,dc=root"
olcDbIDAssertBind: mode=self bindmethod=simple
binddn=cn=admin,dc=loc1,dc=root credentials=xxxxxxx starttls=no
authzID="dn:cn=admin,dc=loc1,dc=root"
while the rest of the configuration stayed the same as the one from my
first mail.
At this point I'm really stuck and the only thing I can think of it is
the presence of a bug somewhere into slapd-meta,
since the behaviour doesn't reflect the configuration on, somehow
simple, parameters.
Is there anybody having the same issues?
Is it still my fault on configuration?
I really don't know where to put my hands on...
Thanks for support
--
Fr3ddie
/fr3ddie@fr3ddie.it <mailto:fr3ddie@fr3ddie.it>/
A computer is like an air conditioner:
it stops working when you open Windows