Hello
I have the following setup:
ldap0 is the LDAP master ldap1 and ldap2 are replicas using syncrepl.
- Users can use simple authentication on the 3 servers. - ldap0 holds a bunch of ACL to handle modifications - ldap1 and ldap2 have minimal ACL and are there just for reading - Mutual authentication between master and replicas is done by TLS certificates.
Now I'd like the replicas to follow updatedn referrals on behalf of the client. That way clients could ask ldap1 and ldap2 to perform modifications, and that would just work. As I understand, this is done through slapo-chain.
The modification has to be done on behalf of the user that authenticated on the replica (else my ACL will block). I don't want to give replicas an universal write access to the master, because that will mean I'll have to duplicate the ACL between the master and the replicas. For performance and maintainability sake, I want to avoid that.
In an ideal world, I'd like replicas to connect to the master using their certificates, and the master would trust the user identity, as it was authenticated on the replica. Is there an example of how this should be done?
I had a look to the test suite, and it does not help very much, as I'm not familiar enough with the authz stuff to grasp enough of how it is supposed to work.
I tried this on the replica, as global option:
overlay chain chain-uri ldaps://ldap0 chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL mode=self
But the modification operation is done using the identity from the replica TLS certificate (which fails) and not from the initial user.
Any hint?