Christophe Gudin
2007-07-18 09:58:46 UTC
Hello list,
I'm having some trouble with following referrals and especially ManageDSAiT.
When I request the supported controls here's what I get:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: supportedControl
#
#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So the ManageDSAiT (2.16.840.1.113730.3.4.2) is meant to be supported.
However if I try any search (or add, etc) with the -M parameter (or if I use
JNDI where I believe this control is set by default) The referrals aren't
followed and I have the following logged error and no result is returned
(not even a referral record):
Jul 18 11:45:03 linuxAeL1 slapd[4163]: begin get_filter
Jul 18 11:45:03 linuxAeL1 slapd[4163]: EQUALITY
Jul 18 11:45:03 linuxAeL1 slapd[4163]: end get_filter 0
Jul 18 11:45:03 linuxAeL1 slapd[4163]: filter: (uid=jlsteiner1000f)
Jul 18 11:45:03 linuxAeL1 slapd[4163]: => get_ctrls
Jul 18 11:45:03 linuxAeL1 slapd[4163]: => get_ctrls: oid="
2.16.840.1.113730.3.4.2" (noncritical)
Jul 18 11:45:03 linuxAeL1 slapd[4163]: <= get_ctrls: n=1 rc=0 err=""
Jul 18 11:45:03 linuxAeL1 slapd[4163]: attrs:
Jul 18 11:45:03 linuxAeL1 slapd[4163]:
Jul 18 11:45:03 linuxAeL1 slapd[4163]: conn=41 op=1 SRCH
base="o=EtatGE,c=CH" scope=2 deref=3 filter="(uid=jlsteiner1000f)"
Jul 18 11:45:03 linuxAeL1 slapd[4163]: slap_global_control: unavailable
control: 2.16.840.1.113730.3.4.2
I really don't understand why this last line is coming up.
I configured openLDAP with the followings: ./configure --enable-backends
--enable-overlays --enable-tls --enable-acl
Here's my slapd.conf:
# NOTES: inetorgperson picks up attributes and objectclasses
# from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openca.schema
include /usr/local/etc/openldap/schema/ldappc.schema
include /usr/local/etc/openldap/schema/kitneduperson.schema
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid
# enable a lot of logging - we might need it
# but generates huge logs
#loglevel Conns Sync Filter
loglevel -1
# NO dynamic backend modules
# TLS-enabled connections
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem
TLSCertificateFile /usr/local/var/openldap-data/ldapcrt.pem
TLSCertificateKeyFile /usr/local/var/openldap-data/ldapkey.pem
#Here I added the chaining
overlay chain
#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database monitor
access to dn.subtree=cn=monitor
by dn.exact=cn=Manager,o=example,c=ch write
by dn.subtree=o=example,c=ch read
by * write
database bdb
suffix "o=example,c=ch"
# root or superuser
rootdn "cn=Manager,o=example,c=ch"
rootpw secret
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /usr/local/var/openldap-data
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
#index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
#index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
dbconfig set_cachesize 0 30000000 0
dbconfig set_lg_bsize 3000000
dbconfig set_flags DB_LOG_AUTOREMOVE
dbcachesize 350000
Also as an aside question, I'm not sure I understand why the server is doing
the recursion referral correctly (i.e. it returns the correct record fetched
on the second server instead of the referral record) when I *don't* put the
-M option...
As I'm a little lost in those referral questions and I didn't find relevant
information I hope someone can clarify this for me.
Best,
Christophe.
I'm having some trouble with following referrals and especially ManageDSAiT.
When I request the supported controls here's what I get:
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectClass=*)
# requesting: supportedControl
#
#
dn:
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.334810.2.3
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
So the ManageDSAiT (2.16.840.1.113730.3.4.2) is meant to be supported.
However if I try any search (or add, etc) with the -M parameter (or if I use
JNDI where I believe this control is set by default) The referrals aren't
followed and I have the following logged error and no result is returned
(not even a referral record):
Jul 18 11:45:03 linuxAeL1 slapd[4163]: begin get_filter
Jul 18 11:45:03 linuxAeL1 slapd[4163]: EQUALITY
Jul 18 11:45:03 linuxAeL1 slapd[4163]: end get_filter 0
Jul 18 11:45:03 linuxAeL1 slapd[4163]: filter: (uid=jlsteiner1000f)
Jul 18 11:45:03 linuxAeL1 slapd[4163]: => get_ctrls
Jul 18 11:45:03 linuxAeL1 slapd[4163]: => get_ctrls: oid="
2.16.840.1.113730.3.4.2" (noncritical)
Jul 18 11:45:03 linuxAeL1 slapd[4163]: <= get_ctrls: n=1 rc=0 err=""
Jul 18 11:45:03 linuxAeL1 slapd[4163]: attrs:
Jul 18 11:45:03 linuxAeL1 slapd[4163]:
Jul 18 11:45:03 linuxAeL1 slapd[4163]: conn=41 op=1 SRCH
base="o=EtatGE,c=CH" scope=2 deref=3 filter="(uid=jlsteiner1000f)"
Jul 18 11:45:03 linuxAeL1 slapd[4163]: slap_global_control: unavailable
control: 2.16.840.1.113730.3.4.2
I really don't understand why this last line is coming up.
I configured openLDAP with the followings: ./configure --enable-backends
--enable-overlays --enable-tls --enable-acl
Here's my slapd.conf:
# NOTES: inetorgperson picks up attributes and objectclasses
# from all three schemas
#
# NB: RH Linux schemas in /etc/openldap
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/openca.schema
include /usr/local/etc/openldap/schema/ldappc.schema
include /usr/local/etc/openldap/schema/kitneduperson.schema
# DON'T bother with ARGS file unless you feel strongly
# slapd scripts stop scripts need this to work
pidfile /var/run/slapd.pid
# enable a lot of logging - we might need it
# but generates huge logs
#loglevel Conns Sync Filter
loglevel -1
# NO dynamic backend modules
# TLS-enabled connections
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /usr/local/var/openldap-data/cacert.pem
TLSCertificateFile /usr/local/var/openldap-data/ldapcrt.pem
TLSCertificateKeyFile /usr/local/var/openldap-data/ldapkey.pem
#Here I added the chaining
overlay chain
#######################################################################
# bdb database definitions
#
# replace example and com below with a suitable domain
#
# If you don't have a domain you can leave it since example.com
# is reserved for experimentation or change them to my and inc
#
#######################################################################
database monitor
access to dn.subtree=cn=monitor
by dn.exact=cn=Manager,o=example,c=ch write
by dn.subtree=o=example,c=ch read
by * write
database bdb
suffix "o=example,c=ch"
# root or superuser
rootdn "cn=Manager,o=example,c=ch"
rootpw secret
# The database directory MUST exist prior to running slapd AND
# change path as necessary
directory /usr/local/var/openldap-data
# Indices to maintain for this directory
# unique id so equality match only
index uid eq
# allows general searching on commonname, givenname and email
index cn,gn,mail eq,sub
# allows multiple variants on surname searching
#index sn eq,sub
# sub above includes subintial,subany,subfinal
# optimise department searches
#index ou eq
# if searches will include objectClass uncomment following
# index objectClass eq
# shows use of default index parameter
index default eq,sub
# other database parameters
# read more in slapd.conf reference section
cachesize 10000
checkpoint 128 15
dbconfig set_cachesize 0 30000000 0
dbconfig set_lg_bsize 3000000
dbconfig set_flags DB_LOG_AUTOREMOVE
dbcachesize 350000
Also as an aside question, I'm not sure I understand why the server is doing
the recursion referral correctly (i.e. it returns the correct record fetched
on the second server instead of the referral record) when I *don't* put the
-M option...
As I'm a little lost in those referral questions and I didn't find relevant
information I hope someone can clarify this for me.
Best,
Christophe.