On 09/22/2010 05:52 PM, Dieter Kluenter wrote:
Bram Cymet<[email protected]> writes:
On 09/22/2010 07:27 AM, [email protected] wrote:
Please try this patch
<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-29-chain.1.patch>,
posted some time ago in partial response to ITS#6540 and report.
Thanks,
p.
I will give the patch a try.
What is the patch doing? I am guessing it will fix the illegal
configuration problem.
It comments some braindead checks that I don't even remember what were
there for, that prevent reloading a valid configuration from cn=config.
Consider that back-config support in back-ldap was added during the
development of back-config itself, so some odd configuration cases that
worked at that time might no longer be valid now.
Should I use the configuration I gave above or should it be modified?
The configuration should be fine; even the contents of the configuration
database (back-config) should be valid. After applying the patch, slapd
should restart fine, loading slapo-chain(5) as it is configured now.
p.
Hi,
I have applied the patch and now after adding my config I am able to
restart slapd. The only problem now is that the chaining has stopped
working. I am not sure why it worked before and not now.
Will that patch be applied to future version of openldap?
At this point I am trying to figure out the best way to take a config like:
overlay chain
chain-rebind-as-user FALSE
chain-uri "ldap://ldap1.example.com";
chain-rebind-as-user TRUE
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="self"
chain-uri "ldap://ldap2.example.com";
chain-idassert-bind bindmethod="simple"
binddn="cn=Auth,dc=example,dc=com"
credentials="secret"
mode="none"
and properly add it to the cn=config directory.
In this particular case, overlay chain should be a global
configuration, not a database specific configuration.
This is a working example:
<global configuration>
...
overlay chain
chain-uri ldap://some.host
chain-idassert-bind
bindmethod=simple
binddn="cn=replicator,o=avci,c=de"
credentials="secret"
mode=self
flags=non-prescriptive
chain-return-error TRUE
chain-rebind-as-user TRUE
chain-tls start
tls_cacert="/etc/openldap/certs/avciCA.pem"
tls_reqcert=demand
database config
rootdn cn=config
syncrepl rid=042
...
database hdb
suffix o=avci,c=de
...
syncrepl rid=099
...
-Dieter
Yes I do want it to be a global configuration. However what you have
included above would go into the slapd.conf config file correct? My
setup uses the online config where the config is stored in ldap itself
(well really in flat files in /etc/openldap/slap.d).
So what I need is an ldif file like the one that I had in my original
post so that I can add the chain-overlay properly.
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
Cell: 613-608-9752
