I'm using chaining as well, from 3 slaves that chain to a single master. In
my case, I created a new user to do the chaining (cn=proxyUser,dc=domain).
In order to get my setup working I had to add an authzTo URI to my
cn=proxyUser account in addition to the chain-* configuration references
you mentioned:
# proxyUser, domain
dn: cn=proxyUser,dc=domain
authzTo: {0}ldap:///ou=people,dc=domain??one?(objectClass=posixAccount)
All my user accounts are in the ou=people branch and are all contain the OC
posixAccount as indicated above. You may need to craft a different URI
depending on what accounts you want to modify and where they live. The
slapd-ldap(5) man page has more info on using authzTo.
(I don't know if this is necessarily the fix in your case as you're using
what appears to be your admin account to do the chaining, but this is what
got mine working)
-Michael Proto
On Wed, Jul 17, 2013 at 3:44 PM, <[email protected]> wrote:
>
> Okay my referral chaining was working and then stopped working. I get an
> error 10 when I submit a change to my clustered consumers that are setup to
> refer writes to my master LDAP server. In looking at the configuration
> help in the online documentation it shows how to setup the slapd.conf file
> on the master. The issue here is that everything is setup through
> cn=config. my consumers do have a slapd.conf file along with cn=config
> files. I have inherited these servers so I'm sure what the person here
> before me was trying to do. I have an idea but I didn't like that idea.
>
> Here is the chaining command from my slapd.conf file.
>
> overlay chain
> chain-uri "ldap://tntest-ldap-master-1.example.com";
> chain-rebind-as-user TRUE
> chain-idassert-bind bindmethod="simple"
> binddn="uid=admin,dc=oreillyauto,dc=com"
> credentials="password"
> mode="self"
> chain-tls start
> chain-return-error TRUE
>
>
> The the syncrepl area
> syncrepl rid 002
> provider=ldap://tntest-ldap-master-1.example.com
> type=refreshOnly
> interval=00:00:05:00
> searchbase-"dc=oreillyauto,dc=com"
> binddn="uuid=syncrepl,ou=system,dc=oreillyauto,dc=com"
> credentials=password
>
> updatedn "uid=ldapadmin,ou=system,dc=example,dc=com"
> updateref ldap://tntest-ldap-master-1.example.com
>
> I need to be pointed in the right direction please.
> Thanks,
> Eric Speake
> Web Systems Administrator
> O'Reilly Auto Parts
>
> This communication and any attachments are confidential, protected by
> Communications Privacy Act 18 USCS ยง 2510, solely for the use of the
> intended recipient, and may contain legally privileged material. If you are
> not the intended recipient, please return or destroy it immediately. Thank
> you.
>
>
