Hello,

I have a master OpenLDAP server, with a bunch of slaves, and then Linux clients talking to the slaves. We've used olcUpdateRef/updateref for a while, but have a situation where we need to proxy connection on behalf of clients via the slaves.

So we have configured a slapo-chain(5) overlay, with the following settings:

olcDbURI: ldap://10.0.0.555/ olcDbIDAssertBind: bindmethod=simple \ binddn="cn=update,dc=example,dc=ca" \ credentials=s3cr3t mode=self olcDbRebindAsUser: TRUE

However, when users try to run passwd(1) (with pam_ldap.conf(5) having the "pam_password exop" setting) they get:

LDAP password information update failed: Strong(er) authentication required

only authenticated users may change passwords

passwd: Permission denied passwd: password unchanged

On the master, we have:

Apr 12 13:14:00 ops slapd[26119]: conn=16 fd=32 ACCEPT from

IP=111.222.333.444:59985 (IP=0.0.0.0:389)

Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 BIND dn="" method=128 Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 RESULT tag=97 err=0 text= Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 EXT

oid=1.3.6.1.4.1.4203.1.11.1

Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 PASSMOD Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 RESULT oid= err=8

text=only authenticated users may change passwords

The (cn=update...) DN has an "authzTo" attribute set to "{0}dn.regex:^uid=[^,]+,ou=People,dc=example,dc=ca".

I'm guessing I may need to set idassert-authzFrom (olc equiv?) to something. Is this correct? If so, should it be restricted to ou=People? If not, what am I missing?

Thanks for any info.

Regards, David