[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Does chain overlay support sasl binding?
Simon Gao wrote:
> That's great to know. Do you think following setup will work on a consumer?
>
> =========================================================
> overlay chain
> chain-rebind-as-user FALSE
>
> chain-uri ldaps://provider/
> chain-rebind-as-user TRUE
> chain-idassert-bind bindmethod=sasl
> saslmech=GSSAPI
>
> binddn="uid=host/consumer1,cn=gssapi,cn=auth
> mode="self"
> =========================================================
>
> I have set ACL on provider so that uid=host/consumer1 has correct
> permissions to write all attributes. But it did not work. The error
> says that host/consumer1 not allowed to assert identity.
>
> Do I need to make host/consumer1 an administrative identity on provider?
> How?
>
> The issue I am trying to resolve is that I prefer not putting clear text
> password in slapd.conf. SASL binding fits such need perfectly if I can
> get it work with chain overlay.
It appears that authz is not allowed by the provider for that identity.
You need to make sure that host/consumer1 has an authzTo rule that
allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------