Thanks for the links.

After reading man page and the links, I managed to get chain overlay working with simple bind. However, I would like to set using sasl bind since consumer already uses sasl binding to retrieve updates. Is this possible with 2.3.35? Or is there something special to set up for sasl binding to work with chain overlay?

Here is related setting: ==================================================================================== overlay chain chain-rebind-as-user FALSE

chain-uri ldaps://ldap1.example.com chain-rebind-as-user TRUE chain-idassert-bind bindmethod=sasl saslmech=GSSAPI binddn="uid=host/ldap2.example.com,cn=gssapi,cn=auth" mode="self" ====================================================================================

ldap1 is provider and ldap2 is one of consumers.

Here is related log: ==================================================================================== Jun 7 11:30:50 ldap1 slapd[28399]: connection_get(14): got connid=135 Jun 7 11:30:50 ldap1 slapd[28399]: connection_read(14): checking for input on id=135 Jun 7 11:30:50 ldap1 slapd[28399]: do_modify Jun 7 11:30:50 ldap1 slapd[28399]: => get_ctrls Jun 7 11:30:50 ldap1 slapd[28399]: => get_ctrls: oid="2.16.840.1.113730.3.4.18" (critical) Jun 7 11:30:50 ldap1 slapd[28399]: >>> dnNormalize: <uid=user1,ou=people,dc=example,dc=com> Jun 7 11:30:50 ldap1 slapd[28399]: <<< dnNormalize: <uid=user1,ou=people,dc=example,dc=com> Jun 7 11:30:50 ldap1 slapd[28399]: ==>slap_sasl2dn: converting SASL name uid=user1,ou=people,dc=example,dc=com to a DN Jun 7 11:30:50 ldap1 slapd[28399]: slap_authz_regexp: converting SASL name uid=user1,ou=people,dc=example,dc=com Jun 7 11:30:50 ldap1 slapd[28399]: <==slap_sasl2dn: Converted SASL name to <nothing> Jun 7 11:30:50 ldap1 slapd[28399]: parseProxyAuthz: conn=135 "uid=user1,ou=people,dc=example,dc=com" Jun 7 11:30:50 ldap1 slapd[28399]: ==>slap_sasl_authorized: can uid=host/ldap2.example.com,cn=gssapi,cn=auth become uid=user1,ou=people,dc=example,dc=com? Jun 7 11:30:50 ldap1 slapd[28399]: <== slap_sasl_authorized: return 48 Jun 7 11:30:50 ldap1 slapd[28399]: <= get_ctrls: n=1 rc=47 err="not authorized to assume identity" Jun 7 11:30:50 ldap1 slapd[28399]: send_ldap_result: conn=135 op=4 p=3 Jun 7 11:30:50 ldap1 slapd[28399]: send_ldap_response: msgid=5 tag=103 err=47 Jun 7 11:30:50 ldap1 slapd[28399]: do_modify: get_ctrls failed Jun 7 11:30:50 ldap1 slapd[28399]: >>> slap_listener(ldaps://) Jun 7 11:30:50 ldap1 slapd[28399]: connection_get(23): got connid=138 Jun 7 11:30:50 ldap1 slapd[28399]: connection_read(23): checking for input on id=138 Jun 7 11:30:50 ldap1 slapd[28399]: connection_get(23): got connid=138 Jun 7 11:30:50 ldap1 slapd[28399]: connection_read(23): checking for input on id=138 Jun 7 11:30:50 ldap1 slapd[28399]: connection_read(23): TLS accept failure error=-1 id=138, closing Jun 7 11:30:50 ldap1 slapd[28399]: connection_closing: readying conn=138 sd=23 for close Jun 7 11:30:50 ldap1 slapd[28399]: connection_close: conn=138 sd=-1 =====================================================================================

Simon

matthew sporleder wrote:

On 6/4/07, Simon Gao gao@schrodinger.com wrote:

...

Hi,

I am interested in knowing more about chain overlay and have some questions. Anyone can provide more sources or links for me to read?

http://www.openldap.org/software/man.cgi?query=slapo-chain&apropos=0&...

http://www.openldap.org/faq/index.cgi?_highlightWords=chain&file=1200

http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/scripts/test032-ch...

http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/slapd-chain1....

http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/slapd-chain2....

http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/test-chain1.l...

http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/test-chain2.l...

Good luck.

_Matt