Hello,
You'r right, 2.5 is available in backports, but I still preferred to used stable version for fast delivery of security update. The next release of Debian is coming soon, I will update my installations at this time.
I reconfigure chaining on frontend instead on the database, but I still have problem. Same as before, if I try to connect on LDAP slave with a bad password, the error is not reported on LDAP master and I have nothing in logs (level stats) that suggested it tried.
Furthermore, I tried to make a change on LDAP to test the chaining and I have the following error :
ldap_modify: Proxied Authorization Denied (123)
So, I mean I have an error to fix in chaining before hoping olcPPolicyForwardUpdates will works.
See next my chaining configuration :
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig objectClass: top olcOverlay: {0}chain olcChainReturnError: TRUE olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase= {-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase objectClass: top olcDatabase: {0}ldap olcDbURI: ldaps://ldap-master olcDbCancel: abandon olcDbChaseReferrals: TRUE olcDbConnectionPoolMax: 8 olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE olcDbProtocolVersion: 3 olcDbProxyWhoAmI: FALSE olcDbRebindAsUser: TRUE olcDbSessionTrackingRequest: TRUE olcDbSingleConn: FALSE olcDbUseTemporaryConn: FALSE olcDbACLBind: bindmethod=simple binddn="uid=syncrepl,ou=sysaccounts,o=example" credentials="secret" keepalive=10:30:60 network-timeout=0 timeout=0 olcDbIDAssertBind: mode=self bindmethod=simple binddn="uid=syncrepl,ou=sysaccounts,o=example" credentials="secret" authz=proxyauthz keepalive=10:30:60 network-timeout=0 timeout=0
I also configure authzProxy on master and slave :
dn: cn=config [...] olcAuthzPolicy: to
dn: olcDatabase={1}mdb,cn=config [...] olcAccess: {0}to dn.subtree="cn=subschema" by * read olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {2}to attrs=authzTo by self read olcAccess: {3}to attrs=authzFrom by * read [...] olcUpdateRef: ldaps://ldap-master
dn: uid=syncrepl,ou=sysaccounts,o=example [...] authzTo: {0}dn.regex:^uid=.*,o=example$ authzTo: {1}dn.regex:^mail=.*,o=example$
Do you see something I'm doing wrong ?
Many thanks !
Le 24/04/2023 à 23:48, Quanah Gibson-Mount a écrit :
--On Saturday, April 22, 2023 6:07 PM +0200 Benjamin Renard brenard@easter-eggs.com wrote:
you failed to provide any OpenLDAP version information.
You'r right, I'm using slapd 2.4.57+dfsg-3+deb11u1 (on Debian stable).
Hi,
As a side note, OpenLDAP 2.4 series is historic and no longer supported. I believe Debian has 2.5 available in backports for stable? Or there are builds for currently supported release series available from Symas or the LTB project:
https://repo.symas.com/ https://ltb-project.org/download.html
with that out of the way....
If you read the admin guide (https://www.openldap.org/doc/admin25/overlays.html#Chaining), it is explicitly stated that the chain configuration exists before any database definitions (i.e., in the frontend). Here's what my cn=config looks like for chain and back-ldap sitting on top of it with OpenLDAP 2.6. Note that I populate both olcDbACLBind and olcDbIDAssertBind:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain olcChainCacheURI: FALSE olcChainMaxReferralDepth: 1 olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbURI: ldaps://<provider>:<port> olcDbACLBind: bindmethod=... olcDbIDAssertBind: mode=self ... olcDbRebindAsUser: TRUE olcDbChaseReferrals: TRUE olcDbProxyWhoAmI: FALSE olcDbProtocolVersion: 3 olcDbSingleConn: FALSE olcDbCancel: abandon olcDbUseTemporaryConn: FALSE olcDbConnectionPoolMax: 8 olcDbSessionTrackingRequest: TRUE olcDbNoRefs: FALSE olcDbNoUndefFilter: FALSE
Hope that helps!
Regards, Quanah