Slapd - Back-ldap Chain overlay: Proxied Authorization Denied - openldap-technical

27 Aug 2013


      Hello!
I've implemented a simple openldap master and consumer architecture. To
achieved this, I had to implement back-ldap chain overlay (in order to have
a read only "slave"), and syncprov overlay, to synchronize data from master
to the slave.
This implementation works fine. I have data from the master, replicated
into the slave. When I try to modify an object from the consumer using the
administrative account "cn=admin,dc=company,dc=com", references the modify
command to the master. The master performs the operation and returns the
consumer the operation result.
When I try to perform any modify operation with another authorized account,
I get the following error
*LDAP said*:Proxied Authorization Denied*Error number*:0x7b ()*Description*:
The account has permission to write the whole tree in both, the master and
the slave. Here is my config on both servers:
#-------
# Master
#-------
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="cn=admin,dc=company,dc=com" write by
dn="cn=idm,ou=Seguridad,dc=company,dc=comdc=company,dc=com" write by
anonymous read by * none
olcAccess: {1}to attrs=shadowWarning,shadowMax,shadowMin by self write by
dn="cn=admin,dc=company,dc=com" write by
dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by anonymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=company,dc=com" write
by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by * read
#-------
# Consumer
#-------
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov
olcModuleLoad: back_ldap
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001
provider=ldap://192.168.123.139binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve"
bindmethod=simple credentials=0p3n1d4pPr0d%
searchbase="dc=bandes,dc=gob,dc=ve" type=refreshAndPersist scope=sub
retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on
-
add: olcUpdateRef
olcUpdateRef: ldap://192.168.123.139
dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: chain
olcChainReturnError: TRUE
olcChainMaxReferralDepth: 1
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: ldap://192.168.123.139
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbProxyWhoAmI: TRUE
olcDbNoRefs: FALSE
olcDBIDAssertAuthzFrom: *
olcDBACLBind: bindmethod="simple"
binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve"
credentials=0p3n1d4pPr0d%
olcDbIDAssertBind: bindmethod="simple"
binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve"
credentials=0p3n1d4pPr0d% mode="self"
flags="prescriptive,proxy-authz-non-critical"
Hope someone can help me out! Thanks in advanced