I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining.  Can someone please help me figure this configuration out.

I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals.

I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights.

  1. Client binds with dn and password to slave
  2. Client submits modify request to slave
  3. Slave binds to master with binddn (bindmethod=simple)
  4. Slave rebinds to master with dn and password provided by the client (mode=self, chain-rebind-as-user TRUE)
  5. Slave submits modify to master as client (chain is global)
  6. Master checks client's dn for access
  7. Master performs update
  8. Master returns result to slave
  9. Slave returns result to client
# ldapsearch cn=replicator authzTo -LLL
Enter LDAP Password:
dn: cn=replicator,dc=company,dc=com
authzTo: dn:*

You can see in the case of mode=legacy that I have given my replicator account authzTo

# slave slapd.conf
# Global Section
overlay chain
chain-tls start
chain-chase-referrals yes
chain-return-error true

chain-uri "ldap://ldapmaster.company.net/"
chain-rebind-as-user TRUE
chain-idassert-bind
  bindmethod="simple"
  binddn="cn=replicator,dc=company,dc=com"
  credentials="secret"
  starttls="yes"
  tls_reqcert="allow"
  mode="self"

# Database Sections
database  bdb
suffix    "dc=company,dc=com"
rootdn    "cn=manager,dc=company,dc=com"
... removed for brevity ...
updateref ldap://ldapmaster.company.net/