Re: HEADS-UP: chain overlay authz configuration (Was: Update question with chain overlay of sync replica ?)

[Pierangelo Masarati <ando@sys-net.it>]

[please keep replies on the list]

On Mon, 2005-12-12 at 13:38 +0800, William wrote:
> > On Fri, 2005-12-09 at 13:33 +0800, Zhang Zhi Wei wrote:
> > 
> > I have no clue right now about your issue; I'd like to point out that I
> > spotted a bug in slapd-ldap/slapo-chain which fixed a proxyAuthz issue.
> > This was released as of OpenLDAP 2.3.13 and went unnoticed (my fault;
> > I've posted a separate, late ITS#4256).
> > 
> > 
> >>consumer:
> >>overlay chain
> >>chain-uri ldap://master
> >>chain-acl-bind bindmethod=simple
> >>                   binddn="cn=Manager,dc=com"
> >>                   credentials=secret
> > 
> > 
> > This configuration is incorrect.  You need to configure the chain
> > overlay using the idassert, not the acl bind.  The acl bind used to work
> > because of the above bug.  The correct configuration is
> > 
> > overlay         chain
> > chain-uri       ldap://master
> > chain-idassert-bind     bindmethod=simple
> >                         binddn="cn=Manager,dc=com"
> >                         credentials=secret
> >                         mode=self
> 
> I have changed the config , but it seems have no effect,
> I have tried both 2.3.12 and 2.3.13, they are the same.

Perhaps my message was not clear enough: this is __not__ going to solve
your issue, but in any case you need to use the __second__ form (chain-
idassert-bind), because the other one only worked because of a bug in
the software which was fixed in 2.3.13.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------