Redhat – OpenLDAP chain overlay configuration

openldapredhat

I'm trying to get OpenLDAP's chain overlay to work, but unfortunately, the documentation is rather sparse.

I'm using the OpenLDAP version 2.4.39 packages that come with RHEL 6, and the LDAP master and slave are using TLS to communicate. The TLS certs and keys are stored with Mozilla NSS, so the tls_certdir and tls_cert statements below should be correct (they definitely work in this form for replication).

My configuration (in slapd.conf form, which I convert to OLC notation before using) is:

overlay chain
chain-uri              ldap://my.ldap.master.example.com
chain-rebind-as-user   FALSE
chain-idassert-bind    bindmethod="simple"
                       binddn="cn=Manager,dc=example,dc=com"
                       credentials="xxxxxxxxxxxxxxxx"
                       mode="self"
                       starttls=yes
                       tls_reqcert=demand
                       tls_cacertdir=/etc/openldap/certs
                       tls_cert=my.ldap.slave.example.com
chain-tls              start tls_reqcert=demand tls_cacertdir=/etc/openldap/certs tls_cert=my.ldap.slave.example.com
chain-return-error     TRUE

[...syncrepl...]

updateref       ldap://my.ldap.master.example.com

I want to get this working so that policy updates get forwarded onto the master (eg, when someone gets their password wrong five times or more, the slave will send the pwdAccountLockedTime to the master, rather than storing it locally). I have ppolicy_forward_updates set in the config file, for this purpose.

I have tested this and am not seeing any traffic going to the LDAP master when I make changes on the slave.

Does anyone know what I'm doing wrong here?

Best Answer

You need to make sure the chain overlay is configured on the frontend database and not the hdb/mdb/bdb database. So in your cn=config database you should end up with the following entries:

  • olcDatabase={-1}frontend,cn=config
  • olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
  • olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config

I had the same problem where I had configured the overlay on the main hdb database and had the same symptoms where there was no traffic from the slave to the master. As soon as I re-parented the overlay and its database to the frontend database it started to work.

You may also need to configure the olcAuthzPolicy attribute on the master server.

Related Topic