Hello,
Tony Earnshaw wrote: [...]
Could someone please explain why the configuration for the two tests should pass, while it doesn't on my consumer, and why the config with the two chain-rebind-as-user stanzas does?
I always find it helpful to look into the Logfiles of the openldap-servers. On FreeBSD it's /var/log/debug.log.
Personally I find
loglevel 256
which "stats log connections/operations/results" most helpful. If you are not sure how to interpret log entries, edit it to remove sensitive content and post them, perhaps - if its more than 10 lines or so - using a pastebin (eg. pastebin.ca or something)
Of course it seems weird to first have to disable and then later on to enable "chain-rebind-as-user". It seems that this is because one shouldn't rely on default values (as they might change). In the second chain-uri-stanza of the example they don't set the rebind-flag again, so I'd assume that the "global" value set after "overlay chain" will be applied.
Anyway: the best thing next to an explanation I found of what ..rebind-as-user does is in slapd-ldap: ---------8<---------8<---------8<---------8<---------8<---------8<--------- rebind-as-user {NO|yes}
If this option is given, the client's bind credentials are remembered for rebinds, when trying to re-establish a broken connection, or when chasing a referral, if chase-referrals is set to yes. ---------8<---------8<---------8<---------8<---------8<---------8<---------
So I assume that something concerning the credentials breaks - the log should help you pinpoint what exactly.
bye Christian