[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: More information about chain overlay



Thanks for the links.

After reading man page and the links, I managed to get chain overlay
working with simple bind. However, I would like to set using sasl bind
since consumer already uses sasl binding to retrieve updates. Is this
possible with 2.3.35? Or is there something special to set up for sasl
binding to work with chain overlay?

Here is related setting:
====================================================================================
overlay                 chain
chain-rebind-as-user    FALSE

chain-uri               ldaps://ldap1.example.com
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=sasl saslmech=GSSAPI
binddn="uid=host/ldap2.example.com,cn=gssapi,cn=auth" mode="self"
====================================================================================

ldap1 is provider and ldap2 is one of consumers.

Here is related log:
====================================================================================
Jun  7 11:30:50 ldap1 slapd[28399]: connection_get(14): got connid=135
Jun  7 11:30:50 ldap1 slapd[28399]: connection_read(14): checking for
input on id=135
Jun  7 11:30:50 ldap1 slapd[28399]: do_modify
Jun  7 11:30:50 ldap1 slapd[28399]: => get_ctrls
Jun  7 11:30:50 ldap1 slapd[28399]: => get_ctrls:
oid="2.16.840.1.113730.3.4.18" (critical)
Jun  7 11:30:50 ldap1 slapd[28399]: >>> dnNormalize:
<uid=user1,ou=people,dc=example,dc=com>
Jun  7 11:30:50 ldap1 slapd[28399]: <<< dnNormalize:
<uid=user1,ou=people,dc=example,dc=com>
Jun  7 11:30:50 ldap1 slapd[28399]: ==>slap_sasl2dn: converting SASL
name uid=user1,ou=people,dc=example,dc=com to a DN
Jun  7 11:30:50 ldap1 slapd[28399]: slap_authz_regexp: converting SASL
name uid=user1,ou=people,dc=example,dc=com
Jun  7 11:30:50 ldap1 slapd[28399]: <==slap_sasl2dn: Converted SASL name
to <nothing>
Jun  7 11:30:50 ldap1 slapd[28399]: parseProxyAuthz: conn=135
"uid=user1,ou=people,dc=example,dc=com"
Jun  7 11:30:50 ldap1 slapd[28399]: ==>slap_sasl_authorized: can
uid=host/ldap2.example.com,cn=gssapi,cn=auth become
uid=user1,ou=people,dc=example,dc=com?
Jun  7 11:30:50 ldap1 slapd[28399]: <== slap_sasl_authorized: return 48
Jun  7 11:30:50 ldap1 slapd[28399]: <= get_ctrls: n=1 rc=47 err="not
authorized to assume identity"
Jun  7 11:30:50 ldap1 slapd[28399]: send_ldap_result: conn=135 op=4 p=3
Jun  7 11:30:50 ldap1 slapd[28399]: send_ldap_response: msgid=5 tag=103
err=47
Jun  7 11:30:50 ldap1 slapd[28399]: do_modify: get_ctrls failed
Jun  7 11:30:50 ldap1 slapd[28399]: >>> slap_listener(ldaps://)
Jun  7 11:30:50 ldap1 slapd[28399]: connection_get(23): got connid=138
Jun  7 11:30:50 ldap1 slapd[28399]: connection_read(23): checking for
input on id=138
Jun  7 11:30:50 ldap1 slapd[28399]: connection_get(23): got connid=138
Jun  7 11:30:50 ldap1 slapd[28399]: connection_read(23): checking for
input on id=138
Jun  7 11:30:50 ldap1 slapd[28399]: connection_read(23): TLS accept
failure error=-1 id=138, closing
Jun  7 11:30:50 ldap1 slapd[28399]: connection_closing: readying
conn=138 sd=23 for close
Jun  7 11:30:50 ldap1 slapd[28399]: connection_close: conn=138 sd=-1
=====================================================================================

Simon







matthew sporleder wrote:
> On 6/4/07, Simon Gao <gao@schrodinger.com> wrote:
>> Hi,
>>
>> I am interested in knowing more about chain overlay and have some
>> questions. Anyone can provide more sources or links for me to read?
>>
>
> http://www.openldap.org/software/man.cgi?query=slapo-chain&apropos=0&sektion=0&manpath=OpenLDAP+2.3-Release&format=html
>
> http://www.openldap.org/faq/index.cgi?_highlightWords=chain&file=1200
>
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/scripts/test032-chain?rev=1.12&hideattic=1&sortbydate=0
>
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/slapd-chain1.conf?rev=1.10&hideattic=1&sortbydate=0
>
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/slapd-chain2.conf?rev=1.10&hideattic=1&sortbydate=0
>
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/test-chain1.ldif?rev=1.2&hideattic=1&sortbydate=0
>
> http://www.openldap.org/devel/cvsweb.cgi/~checkout~/tests/data/test-chain2.ldif?rev=1.3&hideattic=1&sortbydate=0
>
>
>
> Good luck.
>
> _Matt