From: Gavin Henry Date: Thu, 6 Sep 2007 21:17:45 +0000 (+0000) Subject: Chaining example added. X-Git-Tag: OPENLDAP_REL_ENG_2_4_9~20^2~686 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=1985c17a65afdacb961d1f5c5f5605e8db0f4088;p=openldap Chaining example added. --- diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index ef1e8fb3bd..e713d033a1 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,4 +1,4 @@ -personal_ws-1.1 en 1406 +personal_ws-1.1 en 1410 nattrsets inappropriateAuthentication api @@ -8,8 +8,8 @@ reqEnd olcOverlayConfig shoesize olcTLSCACertificateFile -CGI cdx +CGI DCE DAP attributename @@ -20,8 +20,8 @@ kurt authzID authzid authzId -DAs ddd +DAs userApplications BNF attrs @@ -32,8 +32,8 @@ ldapport hallvard ASN acknowledgements -Chu ava +Chu monitorCounter del DDR @@ -84,13 +84,13 @@ olcModulePath maxentries authc seeAlso -searchbase searchBase +searchbase realnamingcontext -dn's -DNs -DN's dns +DN's +DNs +dn's dereference sortKey authzTo @@ -155,8 +155,8 @@ INADDR compareDN sizelimit unixODBC -APIs blen +APIs attrsOnly attrsonly slappasswd @@ -192,8 +192,8 @@ basedn argv GSS schemachecking -whoami WhoAmI +whoami syslogd dataflow subentries @@ -206,6 +206,7 @@ includedir inplace LDAPAPIFeatureInfo logbase +ldapmaster ing moduleload IPC @@ -233,8 +234,8 @@ pwdExpireWarning localstatedir sockbuf PENs -ipv IPv +ipv ghenry hyc multimaster @@ -267,8 +268,8 @@ intermediateResponse myOID structuralObjectClass integerMatch -openldap OpenLDAP +openldap moddn rewriteEngine AVAs @@ -287,8 +288,8 @@ bool logins jts memberAttr -newpasswdfile newPasswdFile +newpasswdfile ucdata LLL confdir @@ -315,8 +316,8 @@ caseExactMatch olcSizeLimit Bourne attr -objectidentifier objectIdentifier +objectidentifier refint msgtype OBJEXT @@ -366,8 +367,8 @@ Autoconf alloc PDU OLF -inetorgperson inetOrgPerson +inetorgperson deleteoldrdn monitorCounterObject pid @@ -424,9 +425,9 @@ OTP entrylimit attrdescN logold -pos -sbi PRD +sbi +pos reqEntries pre bvals @@ -435,6 +436,7 @@ olcReadonly olcReadOnly pwdChangedTime mySQL +DITs sdf suffixmassage referralDN @@ -452,6 +454,7 @@ telephoneNumber DLDAP peernamestyle SHA +Sep filename rpath argsfile @@ -478,8 +481,8 @@ typedef olcDbIDLcacheSize ostring mwrscdx -SMD UCD +SMD cancelled crit lucyB @@ -490,8 +493,8 @@ TGT modulepath quickstart mySNMP -tgz UDP +tgz RDBMs rdbms Matic @@ -510,9 +513,9 @@ olcDbConfig refreshDone ssf replogfile -rwm -TOC vec +TOC +rwm LDAPDN compareAttrDN endmacro @@ -520,15 +523,15 @@ tls repl monitoringslapd referralsp -tmp SRP +tmp olcDbNosync conns SSL PDkzODdASFxOQ SRV -rwx sss +rwx deallocators Contribware URLlist @@ -642,11 +645,11 @@ groupstyle ldapsearch cp displayName -eg bv +eg olcBackendConfig -dn fd +dn LDAPSync olcReplicationInterval fG @@ -729,8 +732,8 @@ sn ru UG ss -su TP +su reqMethod XLIBS PhotoObject @@ -747,8 +750,8 @@ xf param MChAODQ caseExactIA -Vu Za +Vu idlecachesize ws errSleepTime @@ -770,8 +773,8 @@ ZZ entryCSNs dlopen continuated -newsuperior newSuperior +newsuperior Preprocessor XXLIBS deallocate @@ -858,8 +861,8 @@ modifyAttrDN dcedn olcOverlay exop -berelement BerElement +berelement olcRootDN octetString SampleLDAP @@ -868,8 +871,8 @@ PostgreSQL bvstr filesystem pathtest -objectClass objectclass +objectClass submatches newrdn armijo @@ -883,8 +886,8 @@ modifyDN syncuser Masarati LDAPSyntax -oldpasswdfile oldPasswdFile +oldpasswdfile reqDN SSFs ietf @@ -906,8 +909,8 @@ reqId setspec scanf TLSv -distinguishedname distinguishedName +distinguishedname BerVarray caseIgnoreSubstrin ldapwhoami @@ -934,8 +937,8 @@ slaptest zeilenga WebUpdate numericoid -changelog ChangeLog +changelog creatorsName ascii wahl @@ -951,6 +954,7 @@ libtool servercredp AttributeTypeDescription LTFLAGS +simplebinddn authcDN TLSCipherSuite supportedSASLMechanisms @@ -962,10 +966,10 @@ schemadir attribute's extern varchar -olcDbCacheSize olcDbCachesize -authcid +olcDbCacheSize authcID +authcid POSIX hnPk ldapext @@ -984,8 +988,8 @@ reqStart sasldb somevalue LIBRELEASE -starttls StartTLS +starttls LDAPSchemaExtensionItem reqReferral shtool @@ -996,8 +1000,8 @@ portnumber subjectAltName errObject valsort -bervals berval's +bervals derefFindingBaseObj checkpointed keytab @@ -1018,8 +1022,8 @@ README memcalloc inet saslargs -givenname givenName +givenname olcDbMode pidfile olcLimits @@ -1027,8 +1031,8 @@ memvfree tuple superset directoryString -proxyTemplate proxytemplate +proxyTemplate wildcards monitoredObject TTLs @@ -1041,8 +1045,8 @@ bvalues reqResult impl outvalue -returnCode returncode +returnCode attributeDescription attrval dnssrv @@ -1064,20 +1068,20 @@ uncached ldapapiinfo groupOfUniqueNames dhparam -slapd's slapds +slapd's inputfile RDBMSes wildcard Locator -errAbsObject errABsObject +errAbsObject SASL's html searchResultDone olcBdbConfig -ldapmod LDAPMod +ldapmod olcHidden userPassword TLSRandFile @@ -1104,10 +1108,10 @@ cacertdir queryid Warper XDEFS -urls URL's -postalAddress +urls postaladdress +postalAddress passwd plugins george @@ -1121,16 +1125,16 @@ ursula LDAPModifying slapdconfig dnSubtreeMatch -olcSaslSecProps olcSaslSecprops +olcSaslSecProps auditModify groupOfNames jensen reloadHint prepending olcGlobal -matchingRule matchingrule +matchingRule SmVuc MSSQL hostnames @@ -1144,9 +1148,9 @@ whsp realusers dnstyle suffixalias -proxyAttrset -proxyAttrSet proxyattrset +proxyAttrSet +proxyAttrset pwdMustChange ldif bvfree @@ -1157,8 +1161,8 @@ pwdAttribute PRNGD LDAPRDN entryUUIDs -proxycache proxyCache +proxycache SERATGCgaGBYWGDEjJR noanonymous accessee @@ -1210,8 +1214,8 @@ passwdfile errMatchedDN everytime mkdep -olcDbindex olcDbIndex +olcDbindex syntaxOID reqData databasetype @@ -1258,8 +1262,8 @@ bitstring ACLs berptr olcModuleLoad -attributetype attributeType +attributetype auditModRDN cacert freebuf @@ -1310,23 +1314,23 @@ preallocated syntaxes memberURL monitorRuntimeConfig -bindDn -bindDN binddn +bindDN +bindDn methodp timelimitExceeded pwdInHistory LTSTATIC -requestors requestor's +requestors LDAPCONF saslauthd MKDEPFLAG gecos entryUUID -gnutls -GNUtls GnuTLS +GNUtls +gnutls postread timeval DHAVE @@ -1347,8 +1351,8 @@ entryTtl LDAPControl pwdMinLength ldapcompare -readonly readOnly +readonly RANDFILE attrlist aci @@ -1372,8 +1376,8 @@ userid Kumar AES bdb -manageDSAit ManageDsaIT +manageDSAit bindpw monitorContainer pEntry @@ -1384,8 +1388,8 @@ objectIdentifierMatch Blowfish mkln numericStringSubstringsMatch -openssl OpenSSL +openssl ModName cacheable freeit @@ -1394,8 +1398,8 @@ ber ali mandir changetype -CAs CA's +CAs typeA bvecfree ODBC diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf index b153978ece..b9980692a1 100644 --- a/doc/guide/admin/overlays.sdf +++ b/doc/guide/admin/overlays.sdf @@ -98,6 +98,63 @@ default when --enable-ldap. H3: Chaining Configuration +In order to demonstrate how this overlay works, we shall discuss a typical +scenario which might be one master server and three Syncrepl slaves. + +On each replica, add this near the top of the file (global), before any database +definitions: + +> overlay chain +> chain-uri "ldap://ldapmaster.example.com" +> chain-idassert-bind bindmethod="simple" +> binddn="cn=Manager,dc=example,dc=com" +> credentials="" +> mode="self" +> chain-tls start +> chain-idassert-authzFrom "*" +> updateref "ldap://ldapmaster.example.com/" + +The {{B:chain-tls}} statement enables TLS from the slave to the ldap master. +The {{B:chain-idassert-authzFrom}} statement will assert the identity of whatever +bound dn on the slave is making the update request. The DITs are exactly the +same between these machines, therefore whatever user bound to the slave will +also exist on the master. If that DN does not have update privileges on the master, +nothing will happen. + +You will need to restart the slave after these changes. Then, if you are using +{{loglevel 256}}, you can monitor an {{ldapmodify}} on the slave and the master. + +Now start an {{ldapmodify}} on the slave and watch the logs. You should expect +something like: + +> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 ACCEPT from IP=143.199.102.216:45181 (IP=143.199.102.216:389) +> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 STARTTLS +> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 op=0 RESULT oid= err=0 text= +> Sep 6 09:27:25 slave1 slapd[29274]: conn=11 fd=31 TLS established tls_ssf=256 ssf=256 +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=people,dc=example,dc=com" method=128 +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 BIND dn="uid=user1,ou=People,dc=example,dc=com" mech=SIMPLE ssf=0 +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=1 RESULT tag=97 err=0 text= +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD dn="uid=user1,ou=People,dc=example,dc=com" +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 MOD attr=mail +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=2 RESULT tag=103 err=0 text= +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 op=3 UNBIND +> Sep 6 09:27:28 slave1 slapd[29274]: conn=11 fd=31 closed +> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) +> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_search (0) +> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: uid=user1,ou=People,dc=example,dc=com +> Sep 6 09:27:28 slave1 slapd[29274]: syncrepl_entry: be_modify (0) + +And on the master you will see this: + +> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 PROXYAUTHZ dn="uid=user1,ou=people,dc=example,dc=com" +> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD dn="uid=user1,ou=People,dc=example,dc=com" +> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 MOD attr=mail +> Sep 6 09:23:57 ldapmaster slapd[2961]: conn=55902 op=3 RESULT tag=103 err=0 text= + +Note: You can clearly see the PROXYAUTHZ line on the master, indicating the +proper identity assertion for the update on the master. Also note the slave +immediately receiving the Syncrepl update from the master. + H2: Constraints