Hi Folks, I'm having a little trouble making a syncrepl slapd slave follow referrals. When I run ldappasswd against the provider the password gets changed and propagated to the slave. However when I run ldappasswd against the slave, I only get a referral back even though I have chain overlay specified.
With the "LDAP Browser/Editor" client it's possible to change the password on the slave, so it appears ldappasswd doesn't follow referrals, but simply returns them even though chain overlay is specified. Am I omitting something essential? Here's the slave slapd.conf: (openldap 2.3.11/RHEL4U2 compiled with --enable-slapd --enable-overlays --enable-backends --enable-crypt) Any ideas why the referrals arent chased by the slave slapd? # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/misc.schema include /usr/local/etc/openldap/schema/mailrecipient.schema include /usr/local/etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args # Load dynamic backend modules: # modulepath /usr/local/libexec/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la # Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64 # Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING! TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /usr/local/etc/openldap/server.pem TLSCertificateKeyFile /usr/local/etc/openldap/server.pem TLSCACertificateFile /usr/local/etc/openldap/server.pem # Logging loglevel 2 threads 128 idletimeout 300 sizelimit unlimited ####################################################################### # BDB database definitions ####################################################################### database bdb cachesize 100000 # one 0.25 GB cache #dbconfig set_cachesize 0 268435456 1 # Data Directory #set_data_dir db # Transaction Log settings #dbconfig set_lg_regionmax 262144 #dbconfig set_lg_bsize 2097152 #set_lg_dir logs # When using (and only when using) slapadd(8) or slapindex(8), # the following flags may be useful: #dbconfig set_flags DB_TXN_NOSYNC #set_flags DB_TXN_NOT_DURABLE suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data # Indices to maintain index objectClass eq #password-hash {MD5} overlay chain chain-uri ldap://master.example.com:389 #chain-idassert-method "simple" chain-idassert-authcDN "cn=Manager,dc=example,dc=com" chain-idassert-passwd "secret" chain-idassert-mode "self" syncrepl rid=123 provider=ldap://master.example.com type=refreshAndPersist retry=10,+ searchbase="dc=example,dc=com" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret updatedn="cn=Manager,dc=example,dc=com" updateref ldap://master.example.com:389 #referral ldap://master.example.com
