> Hi Folks, > > I'm having a little trouble making a syncrepl slapd slave follow > referrals. > When I run ldappasswd against the provider the password gets changed and > propagated to the slave. However when I run ldappasswd against the slave, > I > only get a referral back even though I have chain overlay specified. > > With the "LDAP Browser/Editor" client it's possible to change the password > on the slave, so it appears ldappasswd doesn't follow referrals, but > simply > returns them even though chain overlay is specified. Am I omitting > something > essential?
Yes. To enable the updateref chaining feature, the slapo-chain must be instantiated as global. p. > > Here's the slave slapd.conf: (openldap 2.3.11/RHEL4U2 compiled with > --enable-slapd --enable-overlays --enable-backends --enable-crypt) > > Any ideas why the referrals arent chased by the slave slapd? > > # > # See slapd.conf(5) for details on configuration options. > # This file should NOT be world readable. > # > include /usr/local/etc/openldap/schema/core.schema > include /usr/local/etc/openldap/schema/cosine.schema > include /usr/local/etc/openldap/schema/nis.schema > include /usr/local/etc/openldap/schema/inetorgperson.schema > include /usr/local/etc/openldap/schema/misc.schema > include /usr/local/etc/openldap/schema/mailrecipient.schema > include /usr/local/etc/openldap/schema/samba.schema > > > # Define global ACLs to disable default read access. > > # Do not enable referrals until AFTER you have a working directory > # service AND an understanding of referrals. > #referral ldap://root.openldap.org > > pidfile /usr/local/var/run/slapd.pid > argsfile /usr/local/var/run/slapd.args > > # Load dynamic backend modules: > # modulepath /usr/local/libexec/openldap > # moduleload back_bdb.la > # moduleload back_ldap.la > # moduleload back_ldbm.la > # moduleload back_passwd.la > # moduleload back_shell.la > > # Sample security restrictions > # Require integrity protection (prevent hijacking) > # Require 112-bit (3DES or better) encryption for updates > # Require 63-bit encryption for simple bind > # security ssf=1 update_ssf=112 simple_bind=64 > > # Sample access control policy: > # Root DSE: allow anyone to read it > # Subschema (sub)entry DSE: allow anyone to read it > # Other DSEs: > # Allow self write access > # Allow authenticated users read access > # Allow anonymous users to authenticate > # Directives needed to implement policy: > # access to dn.base="" by * read > # access to dn.base="cn=Subschema" by * read > # access to * > # by self write > # by users read > # by anonymous auth > # > # if no access controls are present, the default policy > # allows anyone and everyone to read anything but restricts > # updates to rootdn. (e.g., "access to * by * read") > # > # rootdn can always read and write EVERYTHING! > > TLSCipherSuite HIGH:MEDIUM:+SSLv3 > TLSCertificateFile /usr/local/etc/openldap/server.pem > TLSCertificateKeyFile /usr/local/etc/openldap/server.pem > TLSCACertificateFile /usr/local/etc/openldap/server.pem > > # Logging > loglevel 2 > threads 128 > idletimeout 300 > sizelimit unlimited > > > ####################################################################### > # BDB database definitions > ####################################################################### > > database bdb > cachesize 100000 > > # one 0.25 GB cache > #dbconfig set_cachesize 0 268435456 1 > > # Data Directory > #set_data_dir db > > # Transaction Log settings > #dbconfig set_lg_regionmax 262144 > #dbconfig set_lg_bsize 2097152 > #set_lg_dir logs > > # When using (and only when using) slapadd(8) or slapindex(8), > # the following flags may be useful: > #dbconfig set_flags DB_TXN_NOSYNC > #set_flags DB_TXN_NOT_DURABLE > > > > > > suffix "dc=example,dc=com" > rootdn "cn=Manager,dc=example,dc=com" > # Cleartext passwords, especially for the rootdn, should > # be avoid. See slappasswd(8) and slapd.conf(5) for details. > # Use of strong authentication encouraged. > rootpw secret > # The database directory MUST exist prior to running slapd AND > # should only be accessible by the slapd and slap tools. > # Mode 700 recommended. > directory /usr/local/var/openldap-data > # Indices to maintain > index objectClass eq > > #password-hash {MD5} > > overlay chain > chain-uri ldap://master.example.com:389 > #chain-idassert-method "simple" > chain-idassert-authcDN "cn=Manager,dc=example,dc=com" > chain-idassert-passwd "secret" > chain-idassert-mode "self" > > > > syncrepl rid=123 > provider=ldap://master.example.com > type=refreshAndPersist > retry=10,+ > searchbase="dc=example,dc=com" > filter="(objectClass=*)" > scope=sub > attrs="*" > schemachecking=off > bindmethod=simple > binddn="cn=Manager,dc=example,dc=com" > credentials=secret > updatedn="cn=Manager,dc=example,dc=com" > > > updateref ldap://master.example.com:389 > #referral ldap://master.example.com > -- Pierangelo Masarati mailto:[EMAIL PROTECTED] Ing. Pierangelo Masarati Responsabile Open Solution SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
