--On Monday, April 18, 2022 6:49 PM +0000 subbarao@computer.org wrote:
Hope this helps clarify what I'm looking for.
Hi Kartik,
We do something similar at Klarna. Our olcDbIDAssertBind configuration is:
olcDbIDAssertBind: mode=self flags=override,prescriptive,proxy-authz-critical bindmethod=sasl saslmech=external tls_cert=... tls_key=... tls_cacert=...
Then our olcSyncrepl config has:
olcSyncrepl rid=001 provider=... bindmethod=sasl saslmech=external authzid="dn:cn=replicator,..." searchbase=... type=... keepalive=... retry=... tls_cert=... tls_key=... tls_cacert=... timeout=..
I would note that we also have a custom patch applied to the OpenLDAP 2.4 series to fix an issue with proxy authorization (It does not fully apply to 2.5+) and ACL evaluation using the wrong identity.
--Quanah