Emmanuel Dreyfus manu@netbsd.org wrote:
modifying entry "uid=foo,o=example" ldap_modify: Authentication method not supported (7)
Any hint appreciated
Trying with debug output: The replica slapd sends its certificate to the master, which accepts it. But the master slapd just grants an anonymous bind for that. It suggets something gors wrong with authz-regexp clauses, but I fail to understand why they stopped working after 2.4 upgrade.
On the master (edited to retain only relevant parts) TLS trace: SSL_accept:before/accept initialization TLS trace: SSL_accept:SSLv3 read client hello A TLS trace: SSL_accept:SSLv3 write server hello A TLS trace: SSL_accept:SSLv3 write certificate A TLS trace: SSL_accept:SSLv3 write certificate request A TLS trace: SSL_accept:SSLv3 flush data TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS trace: SSL_accept:error in SSLv3 read client certificate A TLS certificate verification: depth: 1, err: 0, subject: <CA cert> TLS certificate verification: depth: 0, err: 0, subject: <replica cert> TLS trace: SSL_accept:SSLv3 read client certificate A TLS trace: SSL_accept:SSLv3 read client key exchange A TLS trace: SSL_accept:SSLv3 read certificate verify A TLS trace: SSL_accept:SSLv3 read finished A TLS trace: SSL_accept:SSLv3 write change cipher spec A TLS trace: SSL_accept:SSLv3 write finished A TLS trace: SSL_accept:SSLv3 flush data conn=8 op=0 BIND dn="" method=128 conn=8 op=0 RESULT tag=97 err=0 text= do_bind: v3 anonymous bind
So, what is the culprit? replica's settings? overlay chain chain-uri ldaps://ldapmaster.exemple.net:636 chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=foo" mode=self chain-idassert-authzFrom "*" chain-return-error TRUE
Or the master' settings? authz-policy to authz-regexp cn=ldapreplica1.example.net cn=ldapreplica1.example.net,o=example