I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining. Can someone please help me figure this configuration out.

I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals.

I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights.

1. Client binds with dn and password to slave 2. Client submits modify request to slave 3. Slave binds to master with binddn (bindmethod=simple) 4. Slave rebinds to master with dn and password provided by the client (mode=self, chain-rebind-as-user TRUE) 5. Slave submits modify to master as client (chain is global) 6. Master checks client's dn for access 7. Master performs update 8. Master returns result to slave 9. Slave returns result to client

# ldapsearch cn=replicator authzTo -LLL Enter LDAP Password: dn: cn=replicator,dc=company,dc=com authzTo: dn:*

You can see in the case of mode=legacy that I have given my replicator account authzTo

# slave slapd.conf # Global Section overlay chain chain-tls start chain-chase-referrals yes chain-return-error true

chain-uri "ldap://ldapmaster.company.net/" chain-rebind-as-user TRUE chain-idassert-bind bindmethod="simple" binddn="cn=replicator,dc=company,dc=com" credentials="secret" starttls="yes" tls_reqcert="allow" mode="self"

# Database Sections database bdb suffix "dc=company,dc=com" rootdn "cn=manager,dc=company,dc=com" ... removed for brevity ... updateref ldap://ldapmaster.company.net/