Emmanuel Dreyfus wrote:
But the modification operation is done using the identity from the replica TLS certificate (which fails) and not from the initial user.
Owing to a "feature" in idassert code, an authcId or a binddn must be present for the proxyAuthz control to be successfully added to the chained request.
If you use mechs like EXTERNAL, it's going to be empty, resulting in the behavior you observed. Please try adding whatever to authcId or binddn (for example binddn="cn=chain") and report. You may file an ITS for this, if you like. I'm fixing it anyway.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------