Alan Evans a écrit :
I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining. Can someone please help me figure this configuration out.
I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals.
I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights.
- Client binds with dn and password to slave
- Client submits modify request to slave
- Slave binds to master with binddn (bindmethod=simple)
- Slave rebinds to master with dn and password provided by the client (mode=self, chain-rebind-as-user TRUE)
- Slave submits modify to master as client (chain is global)
- Master checks client's dn for access
- Master performs update
- Master returns result to slave
- Slave returns result to client
Not exactly what you need, but chaining works OK for me, using a proxy user (no rebind-as-user policy)
In the slave: chain-idassert-authzFrom "*"
In the master: # proxy authorization policy authz-policy to
And my proxy entry: # chain, roles, futurs.inria.fr dn: cn=chain,ou=roles,dc=futurs,dc=inria,dc=fr objectClass: organizationalRole objectClass: simpleSecurityObject cn: chain description: slave server proxy user authzTo: dn:*