Simon Gao wrote:
It appears that authz is not allowed by the provider for that identity. You need to make sure that host/consumer1 has an authzTo rule that allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
I am not making much progress. Here what I tried to add to provider's slapd.conf:
authz-policy both authzFrom dn.exact:uid=host/consumer1,cn=GSSAPI,cn=auth authzTo dn.subtree:ou=people,dc=example,dc=com
Anything I missed?
I am making some progress on this. Following example test014, I am able to get sasl bind working.
I still have two questions.
1)For chain-idassert-bind, if I put bindmethod, saslmech, binddn, mode on each individual line, then sasl binding does not work. They all must be on the same one line. Any reason why multiple line works for simple bind, but not for sasl binding? The inconsistency will cause more efforts in troubleshooting.
2)Is it possible to add authzTo/authzFrom at "ou=people,dc=example,dc=com" level and all the child entry be proxy authenticated?
Simon