Matthew Kemp wrote:

On Thu, Apr 20, 2017 at 6:36 AM, mailing lists <listas.correo@yahoo.es
<mailto:listas.correo@yahoo.es>> wrote:

    Hello,

    I am testing the chain overlay from a read-only slave (consumer) slapd
    server to a read-write master (provider), but what I am seeing is an
    anonymous bind from the consumer to the provider instead of the
    authorization identity configurated in the chain directive.


We're also seeing the same behavior and reported a similar issue last month to
this list:
http://www.openldap.org/lists/openldap-technical/201703/msg00047.html

I'm hopeful we can track down this issue as it's causing us some issues that
we'll need to resolve eventually.

Only ProxyAuth will work, now.

As documented, the chain overlay only intercepts responses to operations, and only acts when it sees a referral in the response. In order for rebind-as-user to work, the overlay would need to intercept Bind requests and cache the credentials, but it never intercepts Bind requests, therefore it has nothing to rebind with. It *could* intercept referrals from Bind responses, and grab the user's credentials at that point. But back in 2004 we turned those off, and slapd now will never return a referral to a Bind request. (commit 100facedf3c9ec241121a5e3ad7aa059a7c57bc2 in git.) Probably we should remove references to rebind-as-user from the slapo-chain(5) manpage now, since that commit basically killed this feature.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/