[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Does chain overlay support sasl binding?



Simon Gao wrote:

> That's great to know. Do you think following setup will work on a consumer?
> 
> =========================================================
> overlay                 chain
> chain-rebind-as-user    FALSE
> 
> chain-uri               ldaps://provider/
> chain-rebind-as-user    TRUE
> chain-idassert-bind    bindmethod=sasl
>                                    saslmech=GSSAPI
>                                   
> binddn="uid=host/consumer1,cn=gssapi,cn=auth
>                                    mode="self"
> =========================================================
> 
> I have set ACL on provider so that uid=host/consumer1 has correct
> permissions to write all attributes.  But it did not work. The error
> says that host/consumer1 not allowed to assert identity.
> 
> Do I need to make host/consumer1 an administrative identity on provider?
> How?
> 
> The issue I am trying to resolve is that I prefer not putting clear text
> password in slapd.conf. SASL binding fits such need perfectly if I can
> get it work with chain overlay.

It appears that authz is not allowed by the provider for that identity.
 You need to make sure that host/consumer1 has an authzTo rule that
allows it to proxyAuthz, and you need to allow the appropriate authz-policy.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------