Pierangelo Masarati wrote:
Simon Gao wrote:
That's great to know. Do you think following setup will work on a consumer?
========================================================= overlay chain chain-rebind-as-user FALSE
chain-uri ldaps://provider/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=sasl saslmech=GSSAPI
binddn="uid=host/consumer1,cn=gssapi,cn=auth mode="self" =========================================================
I have set ACL on provider so that uid=host/consumer1 has correct permissions to write all attributes. But it did not work. The error says that host/consumer1 not allowed to assert identity.
Do I need to make host/consumer1 an administrative identity on provider? How?
The issue I am trying to resolve is that I prefer not putting clear text password in slapd.conf. SASL binding fits such need perfectly if I can get it work with chain overlay.
It appears that authz is not allowed by the provider for that identity. You need to make sure that host/consumer1 has an authzTo rule that allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
I am not making much progress. Here what I tried to add to provider's slapd.conf:
authz-policy both authzFrom dn.exact:uid=host/consumer1,cn=GSSAPI,cn=auth authzTo dn.subtree:ou=people,dc=example,dc=com
Anything I missed?
Simon