Pierangelo Masarati ando@sys-net.it wrote:
But the modification operation is done using the identity from the replica TLS certificate (which fails) and not from the initial user.
Owing to a "feature" in idassert code, an authcId or a binddn must be present for the proxyAuthz control to be successfully added to the chained request.
If you use mechs like EXTERNAL, it's going to be empty, resulting in the behavior you observed. Please try adding whatever to authcId or binddn (for example binddn="cn=chain") and report.
It does alter the behavior: now I get this on the master Sep 9 23:41:10 ldap0 slapd[5365]: conn=170 op=1 RESULT tag=103 err=47 text=not authorized to assume identity
And the BIND operation still shows the TLS certificate DN for both authzid and authcid: the binddn or authcid I provide does not appear.
Do I miss some directive on the master to allow the proxy authorization?