[horde] Using separate LDAP write and read servers for Turba

Tue Jul 29 13:39:35 UTC 2014

On 07/28/2014 02:04 PM, Andy Dorman wrote:
> On 07/28/2014 12:01 PM, Andreas Schulze wrote:
>> Andy Dorman:
>>>>> So is it no longer possible to use a separate write_server for Turba?
>>>>
>>>> Correct.
>> untested idea:
>>
>> when using syncreplica you could add a updateref¹
>> Clients will get that as responce when they try to write to a read
>> only server.
>> Maybe the client-library used by horde honor that "hint".
>>
>> Andreas
>>
>> ¹) http://www.openldap.org/doc/admin24/guide.html#updateref%20%3CURL%3E
>>
>
> Andreas, thank you...that may do exactly what we need.
>
> We already have the updateref attribute configured for all our slaves,
> but I had forgotten all about it.
>
> I will test it and report back.
>

Well I am not having any luck so far...I changed the server in 
backends.local.php to 'localhost', confirmed LDAP ACL rules were the 
same for the master (which works) and slave (which doesn't) and we keep 
getting the "Strong(er) authentication required" error shown below from 
the debug log of one of the tests.

2014-07-28T14:29:23.102968-05:00 yorick HORDE: [turba] Failed to add an 
object: [8] "Strong(er) authentication required" DN: 
uid=20140728192923.hqL0AySZ_alzsglmrFuACA6 at beta.mail.bulldogs.com,uid=andydorman at comehome.net,ou=addresses,o=antespam.com 
(attributes: 
[a:6:{s:2:"cn";s:6:"Andy.D";s:4:"mail";s:26:"andy.dorman at comehome.email";s:9:"givenname";s:4:"Andy";s:2:"sn";s:6:"Dorman";s:3:"uid";s:61:"20140728192923.hqL0AySZ_alzsglmrFuACA6 at beta.mail.bulldogs.com";s:11:"objectclass";a:3:{i:0;s:6:"person";i:1;s:13:"inetOrgPerson";i:2;s:20:"organizationalPerson";}}]) 
[pid 14212 on line 331 of "/usr/share/horde/turba/lib/Driver/Ldap.php"]
2014-07-28T14:29:23.103019-05:00 yorick HORDE: 1. 
Turba_Form_AddContact->execute() /usr/share/horde/turba/add.php:68#0122. 
Turba_Driver->add() 
/usr/share/horde/turba/lib/Form/AddContact.php:76#0123. 
Turba_Driver_Ldap->_add() /usr/share/horde/turba/lib/Driver.php:910

I even tried binding with the admin user and password and got the same 
error.

Here is our turba backends.local.php config

$cfgSources['localsql']['disabled'] = true;
$_ldap_uid = strtolower($GLOBALS['registry']->getAuth());
$_ldap_basedn = ',ou=addresses,o=antespam.com';
$cfgSources['personal_ldap']['disabled'] = false;

$cfgSources['personal_ldap']['params']['server'] = 'localhost';
$cfgSources['personal_ldap']['params']['root'] = 'uid=' . $_ldap_uid . 
$_ldap_basedn;
$cfgSources['personal_ldap']['params']['bind_dn'] = 'uid=' . $_ldap_uid 
. $_ldap_basedn;
$cfgSources['personal_ldap']['params']['bind_password'] = 
$GLOBALS['registry']->getAuthCredential('password');
$cfgSources['personal_ldap']['params']['scope'] = 'sub';
$cfgSources['personal_ldap']['params']['objectclass'] = array('person',

'inetOrgPerson',

'organizationalPerson');

Our slapd.conf sets updateref as shown below, and this has worked fine 
for many years with Cyrus & perl clients.

# Where to send people to do updates
updateref    ldap://ldap.ironicdesign.com/

So now I am googling to see if I can find any useful reference to this 
error message with the PHP client.

-- 
Andy Dorman