Hello,
I am testing the chain overlay from a read-only slave (consumer) slapd server to a read-write master (provider), but what I am seeing is an anonymous bind from the consumer to the provider instead of the authorization identity configurated in the chain directive.
consumer/10.112.107.53:
-------------------------------------
# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $
root@consumer:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
# grep -v -e '^#' -e '^$' slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/freeradius.schema
include /etc/openldap/schema/authldap.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/custom.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
moduleload back_ldap.la
moduleload unique.la
moduleload ppolicy.la
moduleload dynlist.la
moduleload memberof.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la
overlay chain
chain-uri "ldap://10.112.107.51"
chain-idassert-bind bindmethod="simple"
binddn="cn=proxyuser,dc=example,dc=com"
credentials="12345678"
mode="self"
flags=non-prescriptive
chain-rebind-as-user TRUE
chain-return-error TRUE
access to *
by * write
serverID 101
allow bind_v2
database mdb
suffix "dc=example,dc=com"
dbnosync
rootdn "cn=Manager,dc=example,dc=com"
rootpw 12345678
directory /var/lib/ldap
maxsize 106300440576
index objectClass eq
index uid eq,sub
index entryCSN,entryUUID eq
loglevel stats
syncrepl rid=101
provider=ldap://10.112.107.51:389
type=refreshAndPersist
searchbase="dc=example,dc=com"
schemachecking=off
bindmethod=simple
retry="60 10 300 +"
binddn="cn=syncrepl,dc=example,dc=com"
credentials=12345678
updateref "ldap://10.112.107.51:389"
provider/10.112.107.51:
-----------------------------------
# slapd -V
@(#) $OpenLDAP: slapd 2.4.44 (Mar 23 2017 12:46:14) $
root@provider:/root/rpmbuild/BUILD/openldap-2.4.44/openldap-2.4.44/servers/slapd
# grep -v -e '^#' -e '^$' slapd.conf
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/freeradius.schema
include /etc/openldap/schema/authldap.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/custom.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap
moduleload back_ldap.la
moduleload unique.la
moduleload ppolicy.la
moduleload dynlist.la
moduleload memberof.la
moduleload syncprov.la
moduleload accesslog.la
moduleload auditlog.la
access to *
by * write
serverID 001
authz-policy to
allow bind_v2
database mdb
suffix "dc=example,dc=com"
dbnosync
rootdn "cn=Manager,dc=example,dc=com"
rootpw 12345678
directory /var/lib/ldap
maxsize 106300440576
index objectClass eq
index uid eq,sub
index entryCSN,entryUUID eq
loglevel stats
limits dn="cn=proxyuser,dc=example,dc=com" size=unlimited
limits dn="cn=syncrepl,dc=example,dc=com" size=unlimited
overlay syncprov
syncprov-checkpoint 1000 1
syncprov-sessionlog 150000
syncprov-reloadhint TRUE
now I do an update in the consumer:
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 ACCEPT from IP=127.0.0.1:42198 (IP=0.0.0.0:389)
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" method=128
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 BIND dn="cn=Manager,dc=example,dc=com" mech=SIMPLE ssf=0
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=0 RESULT tag=97 err=0 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(employeeid=759042)"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SRCH attr=* +
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH base="dc=example,dc=com" scope=2 deref=2 filter="(uid=endwmkhwl60nehf2c)"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SRCH attr=* +
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com"
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 MOD attr=description
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 op=3 RESULT tag=103 err=8 text=
Apr 20 12:58:57 consumer slapd[23149]: conn=1004 fd=16 closed (connection lost)
and this is the corresponding log in the provider:
Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 ACCEPT from IP=10.112.107.53:58416 (IP=0.0.0.0:389)
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 BIND dn="" method=128
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=0 RESULT tag=97 err=0 text=
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD dn="uid=enDwmkHWl60NEHf2c,dc=example,dc=com"
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 MOD attr=description
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=1 RESULT tag=103 err=8 text=modifications require authentication
Apr 20 12:58:57 provider slapd[28974]: conn=3367 op=2 UNBIND
Apr 20 12:58:57 provider slapd[28974]: conn=3367 fd=16 closed
afaik, the bind dn in the provider must be the chain binddn configured in the consumer, but it gets an anonymous bind.
any suggestion about what can be my mistake??