Ed Greenberg edg@greenberg.org wrote:
overlay chain chain-rebind-as-user FALSE
chain-uri "ldap://master.mydomain.com" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=Manager,dc=mydomain,dc=com" credentials="secret" mode="self"
I have this on the slave. The cn=foo is a bug workaround for getting it working with certificates
overlay chain chain-uri ldaps://ldapmaster.example.net chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=foo" mode=self chain-idassert-authzFrom "*" chain-return-error TRUE
On the master. The autz-regexp maps the CN from the certificate to a DN in the tree authz-policy to authz-regexp cn=ldapslave1.example.net cn=ldapslave1.example.net,o=example (...) access to attrs=authzTo by * read stop
And finally, in the LDAP tree: dn: cn=ldapslave1.example.net,o=example authzTo: *
It did work with 2.3 but seems broken in 2.4. The slave accepts the client's connexion, but when it attempts to do the modification:
modifying entry "uid=foo,o=example" ldap_modify: Authentication method not supported (7)
Any hint appreciated