Simon Gao wrote:
That's great to know. Do you think following setup will work on a consumer?
========================================================= overlay chain chain-rebind-as-user FALSE
chain-uri ldaps://provider/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=sasl saslmech=GSSAPI
binddn="uid=host/consumer1,cn=gssapi,cn=auth mode="self" =========================================================
I have set ACL on provider so that uid=host/consumer1 has correct permissions to write all attributes. But it did not work. The error says that host/consumer1 not allowed to assert identity.
Do I need to make host/consumer1 an administrative identity on provider? How?
The issue I am trying to resolve is that I prefer not putting clear text password in slapd.conf. SASL binding fits such need perfectly if I can get it work with chain overlay.
It appears that authz is not allowed by the provider for that identity. You need to make sure that host/consumer1 has an authzTo rule that allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------