Discussion:
Problem with chain overlay
Klaus Nagel
2010-02-02 16:11:02 UTC
Permalink
Hello, I have a little problem with the chain overlay and hope, someone
can help me. I have a master and a slave server (both debian lenny with
openldap 2.4.11) and a normal syncrepl replication between both, but I
can't get the chain working.

my slave slapd.conf entries:

moduleload back_ldap
overlay chain
chain-uri "ldap://10.8.0.1:389/"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod=simple
binddn="cn=admin,dc=test,dc=de"
credentials=testpw
mode=self
chain-tls start
chain-return-error TRUE

if i try to delete an entry with ldapdelete on the slave server:
ldapdelete -xD "cn=admin,dc=test,dc=de" -w testpw
cn=abc,ou=Verteiler,dc=test,dc=de

Log from slave server:
conn=1 fd=13 ACCEPT from IP=127.0.0.1:48451 (IP=0.0.0.0:389)
conn=1 op=0 BIND dn="cn=admin,dc=test,dc=de" method=128
conn=1 op=0 BIND dn="cn=admin,dc=test,dc=de" mech=SIMPLE ssf=0
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 DEL dn="cn=abc,ou=Verteiler,dc=test,dc=de"
conn=1 op=1 RESULT tag=107 err=8 text=
conn=1 op=2 UNBIND
conn=1 fd=13 closed

Log from master server:
conn=83 fd=15 ACCEPT from IP=10.8.0.2:44720 (IP=0.0.0.0:389)
conn=83 op=0 BIND dn="" method=128
conn=83 op=0 RESULT tag=97 err=0 text=
conn=83 op=1 DEL dn="cn=abc,ou=Verteiler,dc=test,dc=de"
conn=83 op=1 RESULT tag=107 err=8 text=modifications require authentication
conn=83 op=2 UNBIND
conn=83 fd=15 closed

...it seems to me, that the bind-dn will not be transmitted and I don't
see any start-tls entries.
...any hints for me?

best regards: Klaus
Dieter Kluenter
2010-02-02 18:27:11 UTC
Permalink
Post by Klaus Nagel
Hello, I have a little problem with the chain overlay and hope, someone
can help me. I have a master and a slave server (both debian lenny with
openldap 2.4.11) and a normal syncrepl replication between both, but I
can't get the chain working.
moduleload back_ldap
overlay chain
chain-uri "ldap://10.8.0.1:389/"
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod=simple
binddn="cn=admin,dc=test,dc=de"
credentials=testpw
mode=self
chain-tls start
chain-return-error TRUE
the global part of my slapd.conf

overlay chain
chain-uri ldap://ldap.avci.de
chain-idassert-bind
bindmethod=simple
binddn="cn=replicator,o=avci,c=de"
credentials="xxx"
mode=self
flags=non-prescriptive
starttls=yes
tls_cacert=/opt/openldap/etc/openldap/certs/avciCA.pem
tls_reqcert=demand
chain-return-error TRUE
chain-rebind-as-user TRUE
chain-tls start

-Dieter
--
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:8EF7B6C6
53°37'09,95"N
10°08'02,42"E
Jaap Winius
2010-02-02 19:09:27 UTC
Permalink
Post by Klaus Nagel
Hello, I have a little problem with the chain overlay and hope, someone
can help me. I have a master and a slave server (both debian lenny with
openldap 2.4.11) and a normal syncrepl replication between both, but I
can't get the chain working.
Did you remember to include the necessary proxy authorization? I've
been working hard to increase my own understanding of this subject,
also using Debian lenny. Here are some of my own instructions that you
may find handy:

* OpenLDAP consumer -- Referrals
http://www.rjsystems.nl/en/2100-openldap-consumer.php#refr

* OpenLDAP consumer with MIT Kerberos V -- Referrals
http://www.rjsystems.nl/en/2100-openldap-consumer-kerberos.php#refr

I'm currently busy revising these pages, so they will change
occasionally, but so far I've not encountered any problems with the
chaining instructions. If you spot anything obviously stupid, or would
just like to comment, I'd be happy to hear from you.

Cheers,

Jaap

Loading...