Hello!
I've implemented a simple openldap master and consumer architecture. To achieved this, I had to implement back-ldap chain overlay (in order to have a read only "slave"), and syncprov overlay, to synchronize data from master to the slave.
This implementation works fine. I have data from the master, replicated into the slave. When I try to modify an object from the consumer using the administrative account "cn=admin,dc=company,dc=com", references the modify command to the master. The master performs the operation and returns the consumer the operation result.
When I try to perform any modify operation with another authorized account, I get the following error
*LDAP said*:Proxied Authorization Denied*Error number*:0x7b ()*Description*: The account has permission to write the whole tree in both, the master and the slave. Here is my config on both servers:
#------- # Master #------- dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=comdc=company,dc=com" write by anonymous read by * none olcAccess: {1}to attrs=shadowWarning,shadowMax,shadowMin by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by anonymous read by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by * read
#------- # Consumer #------- dn: cn=module,cn=config changetype: add objectClass: olcModuleList cn: module olcModulePath: /usr/lib/ldap olcModuleLoad: syncprov olcModuleLoad: back_ldap
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov
dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcSyncRepl olcSyncRepl: rid=001 provider=ldap://192.168.123.139binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" bindmethod=simple credentials=0p3n1d4pPr0d% searchbase="dc=bandes,dc=gob,dc=ve" type=refreshAndPersist scope=sub retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on - add: olcUpdateRef olcUpdateRef: ldap://192.168.123.139
dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: chain olcChainReturnError: TRUE olcChainMaxReferralDepth: 1
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: ldap olcDbURI: ldap://192.168.123.139 olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcDbProxyWhoAmI: TRUE olcDbNoRefs: FALSE olcDBIDAssertAuthzFrom: * olcDBACLBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d% olcDbIDAssertBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d% mode="self" flags="prescriptive,proxy-authz-non-critical"
Hope someone can help me out! Thanks in advanced