Hello,I try to configure a proxy-server with back_meta connecting to to different AD-domains. I'm getting the result as expected if I do an ldapsearch. But now I want to add caching for the data, so I configured the following:
---------------- dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/symas/run/slapd.args olcLogLevel: any olcPidFile: /var/symas/run/slapd.pid olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /opt/symas/lib/openldap
olcModuleLoad: {0}back_ldap
olcModuleLoad: {1}back_meta
olcModuleLoad: {2}argon2
olcModuleLoad: {3}rwm.la
olcModuleLoad: {4}pcache.la
olcModuleLoad: {5}back_mdb.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
...
...
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * read
olcSizeLimit: 500
olcPasswordHash: {ARGON2}
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage olcRootDN: cn=admin,cn=configolcRootPW: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$cXdlcnJ0enV6dWlvMTIz$G/l0lynf7
ygdz0tG+E7S1fBibsFs/L80AUSisiGl/v4
dn: olcDatabase={1}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {1}meta
olcSuffix: dc=example,dc=net
olcReadOnly: TRUE
olcRootDN: cn=admin,dc=example,dc=net
olcRootPW:
$argon2i$v=19$m=4096,t=3,p=1$c2dkc3Rld3Z0ZTV0NDU0NQ$F6NZb2w8O+6BOA3
L7zZ37mxFv7CPCXfHYuEiIxTYALY
olcMonitoring: FALSE
olcDbChaseReferrals: FALSE
olcDbProtocolVersion: 3
olcDbRebindAsUser: TRUE
dn: olcOverlay={0}rwm,olcDatabase={1}meta,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {0}rwm
olcRwmTFSupport: false
olcRwmMap: {0}objectClass posixAccount person
olcRwmMap: {1}attribute uid sAMAccountName
dn: olcOverlay={1}pcache,olcDatabase={1}meta,cn=config
objectClass: olcOverlayConfig
objectClass: olcPcacheConfig
olcOverlay: {1}pcache
olcPcache: mdb 100000 2 1000 100
olcPcacheAttrset: 0 mail postalAddress telephoneNumber givenName
olcPcacheAttrset: 1 uid employeeType
olcPcacheTemplate: "(&(mail=)(postalAddress=*)(telephoneNumber)" 0 3600
100 3
0 1600
olcPcacheTemplate: "(&(sn=)(givenName=))" 0 3600 100
olcPcacheTemplate: "(mail=)" 0 3600
olcPcacheTemplate: "(sn=)" 1 3600 100
olcPcacheTemplate: "(uid=)" 1 3600 1000 30 200
olcPcachePersist: TRUE
dn: olcDatabase={0}mdb,olcOverlay={1}pcache,olcDatabase={1}meta,cn=config
objectClass: olcMdbConfig
objectClass: olcPcacheDatabase
olcDatabase: {0}mdb
olcDbDirectory: /var/symas/pcache
olcDbIndex: objectClass eq
olcDbIndex: uid,employeeType,mail eq
olcDbIndex: postalAddress,telephoneNumber,givenName eq
dn: olcMetaSub={0}uri,olcDatabase={1}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
olcDbURI: "ldap://192.168.56.202/ou=org,dc=example,dc=net";
olcDbIDAssertAuthzFrom: {0}*
olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical
bindm
ethod=simple timeout=0 network-timeout=0
binddn="cn=proxy-orguser,cn=users,dc
=example2,dc=org" credentials="Passw0rd" keepalive=0:0:0
tcp-user-timeout=0
tls_reqcert=never tls_reqsan=allow tls_crlcheck=none
olcDbMap: {0}attribute uid sAMAccountName
olcDbRewrite: {0}suffixmassage "ou=org,dc=example,dc=net"
"dc=example2,dc=org"
olcDbKeepalive: 0:0:0
olcDbChaseReferrals: FALSE
olcDbProtocolVersion: 3
olcDbRebindAsUser: TRUE
dn: olcMetaSub={1}uri,olcDatabase={1}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {1}uri
olcDbURI: "ldap://192.168.56.203/ou=com,dc=example,dc=net";
olcDbIDAssertAuthzFrom: {0}*
olcDbIDAssertBind: mode=none flags=prescriptive,proxy-authz-non-critical
bindm
ethod=simple timeout=0 network-timeout=0
binddn="cn=proxy-comuser,cn=users,dc
=example3,dc=com" credentials="Passw0rd" keepalive=0:0:0
tcp-user-timeout=0 t
ls_reqcert=never tls_reqsan=allow tls_crlcheck=none
olcDbMap: {0}attribute uid sAMAccountName
olcDbRewrite: {0}suffixmassage "ou=com,dc=example,dc=net"
"dc=example3,dc=com"
olcDbKeepalive: 0:0:0 olcDbChaseReferrals: FALSE olcDbProtocolVersion: 3 olcDbRebindAsUser: TRUE ---------------- The same pcache setup works with back_ldap. What did I do wrong or did I miss something.Using this setting with back_ldap, doing a ledapsearch, stopping the domaincontroller, repeat the ldapserch, because the data is in cache I still get the result. Seting up back_meta, as soon as I stop the domaincontroller I got nothing at all.
Do I have to set up a cache for every uri? Then what should be the DN? Stefan
smime.p7s
Description: S/MIME Cryptographic Signature
