I finally got chaining working on our OL 2.3.37 (I'll be updating) delta syncrepl Samba consumer. It used to work before and stopped around OL 2.3.24 - unfortunately I don't know exactly which version.
The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build machine. But when I put these ad lib into slapd.conf on the consumer, they don't.
What doesn't work after 'moduleload back_ldap.la':
overlay chain chain-uri ldap://mercurius.intern/ chain-idassert-bind bindmethod=simple binddn="cn=proxy,dc=barlaeus,dc=nl" credentials=secret mode=self chain-tls start
Apart from chain-tls, this is almost verbatim what the two tests use.
I finally noticed from the SLAPO-CHAIN man page, not having seen the wood for the trees, the following:
"Directives for configuring the underlying ldap database may also be required, as shown in this example:".
So I tried the example, and this chaining config does work on the consumer:
overlay chain chain-rebind-as-user FALSE
chain-uri ldap://mercurius.intern/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=proxy,dc=barlaeus,dc=nl" credentials=secret mode=self chain-tls start
Could someone please explain why the configuration for the two tests should pass, while it doesn't on my consumer, and why the config with the two chain-rebind-as-user stanzas does?
Best,
--Tonni