Hey, all!
First, a BIG thank you to both JoBbZ and tarpman in #openldap, they've got me this far (p.s. JoBbZ- switched over to the symas packages for my test env, replacement was more or less seamless. need to schedule some downtime for prod, but thanks for passing that along!)
However, I'm not at a standstill.
I'm using the OLC config (...I guess that's like saying "PIN number").
I have two servers, foo.domain.tld and bar.domain.tld. foo.domain.tld has DSA of dc=domain,dc=com and bar.domain.tld has a DSA of dc=domain,dc=net.
I can successfully auth as e.g. cn=username,dc=domain,dc=net to foo.domain.tld using the following configuration (at olcDatabase={3}ldap,cn=config):
dn: olcDatabase={3}ldap,cn=config objectClass: olcLDAPConfig objectClass: olcDatabaseConfig olcDatabase: {3}ldap olcDbIDAssertAuthzFrom: {0}"dn:*" olcDbIDAssertBind: mode=self olcDbRebindAsUser: TRUE olcDbSessionTrackingRequest: TRUE olcDbStartTLS: start olcDbURI: ldap://bar.domain.tld olcReadOnly: TRUE olcSuffix: dc=domain,dc=net
However, when I attempt to e.g. implement the following ACL on foo.domain.tld:
{2}to dn.exact="ou=groupname,dc=domain,dc=com" attrs=children (...) by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage by * none
I get the error:
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry "ou=groupname,dc=domain,dc=com", attr "entry" requested Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by "cn=username,dc=domain,dc=net", (=0) Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat: cn=groupadmins,ou=groups,dc=domain,dc=net Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn 0x7f7700009ef0 fetched refcnt=1. Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
(it is a given that cn=username,dc=domain,dc=net is indeed a member ("member" attribute) of the groupOfNames object cn=GroupAdmins,dc=domain,dc=net and additionally, the cn=username,dc=domain,dc=net object has the "memberOf" attribute "cn=GroupAdmins,dc=domain,dc=net")
I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I need to reference the group in the ACL explicitly with the LDAP URI prefixed or something?