I'm trying to get OpenLDAP's chain overlay to work, but unfortunately, the documentation is rather sparse.
I'm using the OpenLDAP version 2.4.39 packages that come with RHEL 6, and the LDAP master and slave are using TLS to communicate. The TLS certs and keys are stored with Mozilla NSS, so the tls_certdir
and tls_cert
statements below should be correct (they definitely work in this form for replication).
My configuration (in slapd.conf
form, which I convert to OLC notation before using) is:
overlay chain
chain-uri ldap://my.ldap.master.example.com
chain-rebind-as-user FALSE
chain-idassert-bind bindmethod="simple"
binddn="cn=Manager,dc=example,dc=com"
credentials="xxxxxxxxxxxxxxxx"
mode="self"
starttls=yes
tls_reqcert=demand
tls_cacertdir=/etc/openldap/certs
tls_cert=my.ldap.slave.example.com
chain-tls start tls_reqcert=demand tls_cacertdir=/etc/openldap/certs tls_cert=my.ldap.slave.example.com
chain-return-error TRUE
[...syncrepl...]
updateref ldap://my.ldap.master.example.com
I want to get this working so that policy updates get forwarded onto the master (eg, when someone gets their password wrong five times or more, the slave will send the pwdAccountLockedTime to the master, rather than storing it locally). I have ppolicy_forward_updates set in the config file, for this purpose.
I have tested this and am not seeing any traffic going to the LDAP master when I make changes on the slave.
Does anyone know what I'm doing wrong here?
Best Answer
You need to make sure the
chain
overlay is configured on thefrontend
database and not thehdb
/mdb
/bdb
database. So in yourcn=config
database you should end up with the following entries:olcDatabase={-1}frontend,cn=config
olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
I had the same problem where I had configured the overlay on the main
hdb
database and had the same symptoms where there was no traffic from the slave to the master. As soon as I re-parented the overlay and its database to thefrontend
database it started to work.You may also need to configure the
olcAuthzPolicy
attribute on the master server.