I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining. Can someone please help me figure this configuration out.
I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals.
I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights.
- Client binds with dn and password to slave
- Client submits modify request to slave
- Slave binds to master with binddn (bindmethod=simple)
- Slave rebinds to master with dn and password provided by the client (mode=self, chain-rebind-as-user TRUE)
- Slave submits modify to master as client (chain is global)
- Master checks client's dn for access
- Master performs update
- Master returns result to slave
- Slave returns result to client
# ldapsearch cn=replicator authzTo -LLL
Enter LDAP Password:
dn: cn=replicator,dc=company,dc=com
authzTo: dn:*
You can see in the case of mode=legacy that I have given my replicator account authzTo
# slave slapd.conf
# Global Section
overlay chain
chain-tls start
chain-chase-referrals yes
chain-return-error true
chain-uri "ldap://ldapmaster.company.net/"
chain-rebind-as-user TRUE
chain-idassert-bind
bindmethod="simple"
binddn="cn=replicator,dc=company,dc=com"
credentials="secret"
starttls="yes"
tls_reqcert="allow"
mode="self"
# Database Sections
database bdb
suffix "dc=company,dc=com"
rootdn "cn=manager,dc=company,dc=com"
... removed for brevity ...
updateref ldap://ldapmaster.company.net/