Pierangelo Masarati wrote:
Simon Gao wrote:
Hi,
I'd like to know if chain overlay currently supports sasl binding or not with OpenLDAP 2.3.35.
Since both idassert-bind and chain-idassert-bind are handled by ldap backend, can I assume sasl binding should be available to chain overlay also?
Yes, it does. But, of course, it cannot bind with the user's credentials. It can use SASL bind when exploiting the idassert feature, namely to bind as an administrative identity to proxyAuthz the user's identity.
That's great to know. Do you think following setup will work on a consumer?
========================================================= overlay chain chain-rebind-as-user FALSE
chain-uri ldaps://provider/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=sasl saslmech=GSSAPI
binddn="uid=host/consumer1,cn=gssapi,cn=auth mode="self" =========================================================
I have set ACL on provider so that uid=host/consumer1 has correct permissions to write all attributes. But it did not work. The error says that host/consumer1 not allowed to assert identity.
Do I need to make host/consumer1 an administrative identity on provider? How?
The issue I am trying to resolve is that I prefer not putting clear text password in slapd.conf. SASL binding fits such need perfectly if I can get it work with chain overlay.
Thanks,
Simon