Emmanuel Dreyfus manu@netbsd.org wrote:
overlay chain chain-uri ldaps://ldapmaster.example.net chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=foo" mode=self chain-idassert-authzFrom "*" chain-return-error TRUE
It did work with 2.3 but seems broken in 2.4. The slave accepts the client's connexion, but when it attempts to do the modification:
modifying entry "uid=foo,o=example" ldap_modify: Authentication method not supported (7)
Any hint appreciated
Here is the answer: since 2.4, when slapd acts as a client, certificate information (key, cert and CA) must be explicitely provided: the server side settings from TLSCertificateFile, TLSCertificateKeyFile and TLSCACertificateFile are never used.
So here is the overlay chain configuration that works using x509 certificates for authentication to the LDAP master (binddn is still both mandatory and ignored)
overlay chain chain-uri ldaps://ldapmaster.example.net chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=dontcare" tls_cert=/etc/openssl/certs/ldapslave1.crt tls_key=/etc/openssl/private/ldapslave1.key tls_cacert=/etc/openssl/certs/ca.crt tls_reqcert=demand mode=self chain-idassert-authzFrom "*" chain-return-error TRUE