Hello,
I have a master OpenLDAP server, with a bunch of slaves, and then Linux clients talking to the slaves. We've used olcUpdateRef/updateref for a while, but have a situation where we need to proxy connection on behalf of clients via the slaves.
So we have configured a slapo-chain(5) overlay, with the following settings:
olcDbURI: ldap://10.0.0.555/ olcDbIDAssertBind: bindmethod=simple \ binddn="cn=update,dc=example,dc=ca" \ credentials=s3cr3t mode=self olcDbRebindAsUser: TRUE
However, when users try to run passwd(1) (with pam_ldap.conf(5) having the "pam_password exop" setting) they get:
LDAP password information update failed: Strong(er) authentication required
only authenticated users may change passwords
passwd: Permission denied passwd: password unchanged
On the master, we have:
Apr 12 13:14:00 ops slapd[26119]: conn=16 fd=32 ACCEPT from
IP=111.222.333.444:59985 (IP=0.0.0.0:389)
Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 BIND dn="" method=128 Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 RESULT tag=97 err=0 text= Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 EXT
oid=1.3.6.1.4.1.4203.1.11.1
Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 PASSMOD Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 RESULT oid= err=8
text=only authenticated users may change passwords
The (cn=update...) DN has an "authzTo" attribute set to "{0}dn.regex:^uid=[^,]+,ou=People,dc=example,dc=ca".
I'm guessing I may need to set idassert-authzFrom (olc equiv?) to something. Is this correct? If so, should it be restricted to ou=People? If not, what am I missing?
Thanks for any info.
Regards, David