Bram Cymet <[email protected]> writes: > On 09/22/2010 07:27 AM, [email protected] wrote: >>>> Please try this patch >>>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch>, >>>> posted some time ago in partial response to ITS#6540 and report. >>>> Thanks, >>>> p. >>>> >>> I will give the patch a try. >>> >>> What is the patch doing? I am guessing it will fix the illegal >>> configuration problem. >> It comments some braindead checks that I don't even remember what were >> there for, that prevent reloading a valid configuration from cn=config. >> Consider that back-config support in back-ldap was added during the >> development of back-config itself, so some odd configuration cases that >> worked at that time might no longer be valid now. >> >>> Should I use the configuration I gave above or should it be modified? >> The configuration should be fine; even the contents of the configuration >> database (back-config) should be valid. After applying the patch, slapd >> should restart fine, loading slapo-chain(5) as it is configured now. >> >> p. >> > Hi, > > I have applied the patch and now after adding my config I am able to > restart slapd. The only problem now is that the chaining has stopped > working. I am not sure why it worked before and not now. > Will that patch be applied to future version of openldap? > > At this point I am trying to figure out the best way to take a config like: > > overlay chain > chain-rebind-as-user FALSE > chain-uri "ldap://ldap1.example.com"; > chain-rebind-as-user TRUE > chain-idassert-bind bindmethod="simple" > binddn="cn=Auth,dc=example,dc=com" > credentials="secret" > mode="self" > chain-uri "ldap://ldap2.example.com"; > chain-idassert-bind bindmethod="simple" > binddn="cn=Auth,dc=example,dc=com" > credentials="secret" > mode="none" > > > and properly add it to the cn=config directory.
In this particular case, overlay chain should be a global configuration, not a database specific configuration. This is a working example: <global configuration> ... overlay chain chain-uri ldap://some.host chain-idassert-bind bindmethod=simple binddn="cn=replicator,o=avci,c=de" credentials="secret" mode=self flags=non-prescriptive chain-return-error TRUE chain-rebind-as-user TRUE chain-tls start tls_cacert="/etc/openldap/certs/avciCA.pem" tls_reqcert=demand database config rootdn cn=config syncrepl rid=042 ... database hdb suffix o=avci,c=de ... syncrepl rid=099 ... -Dieter -- Dieter Klünter | Systemberatung sip: [email protected] http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
