Pierangelo Masarati skrev, on 05-09-2007 09:18:
The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build machine. But when I put these ad lib into slapd.conf on the consumer, they don't.
What doesn't work after 'moduleload back_ldap.la':
overlay chain chain-uri ldap://mercurius.intern/ chain-idassert-bind bindmethod=simple binddn="cn=proxy,dc=barlaeus,dc=nl" credentials=secret mode=self
What do you mean "doesn't work"? Do you mean that it doesn't chain anonymous searches? Did you try an authenticated search? Anonymous operation chaining is implicitly disabled by the idassert-bind directive, as you can see from slapd-ldap(5).
"Doesn't work" means that I get tag=103 err=10 in the consumer log (loglevel 256), the client gets a referral. No clients on the consumer other than Samba tools understand this, so referrals aren't followed by them.
I'm not binding to the consumer anonymously, I'm binding as "cn=proxy,dc=barlaeus,dc=nl" who has full authZTo rights. I'd expect the above chain-idassert-bind to work, as it does in the tests, and it doesn't.
If you want to let them thru anonymously you need to add "flags=non-prescriptive" to the idassert-bind statement; if you want anonymous to be asserted as anonymous as well, leave the idassert-bind statement as is, and add
chain-idassert-authzFrom "*"
None of this is in test018 or test23. My above stanzas conform completely to the slapd.confs for these tests.
There's no point in binding anonymously, my ACLs prohibit all access than auth to userPassword and all access whatsoever to most other attributes.
[...]
overlay chain chain-rebind-as-user FALSE
chain-uri ldap://mercurius.intern/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=proxy,dc=barlaeus,dc=nl" credentials=secret mode=self chain-tls start
Could someone please explain why the configuration for the two tests should pass, while it doesn't on my consumer, and why the config with the two chain-rebind-as-user stanzas does?
I don't think that adding chain-rebind-as-user really makes any difference, because rebinding as user makes no sense if you use identity assertion: the user is not going to rebind anyway, as its identity is going to be asserted. The only thing that could change is in case chaining implies further referral chasing, i.e. if while chaining the operation another referral is encountered.
I tried to go to pains to point out that the second config stanzas *work* (again, "work" means that the referral is recognized - tag=110 - and no error is returned), while the first stanzas *do not* work - tag=110 err=10. I also asked for an explanation of why (when this is not the case with the tests).
It's no good telling me that chain-rebind-as-user is useless, when:
1: it's documented - though without an explanation - in SLAPO-CHAIN, and 2: it works ("works" means the referral from the slave is accepted and passed to the master, while a config without it doesn't).
--Tonni