[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Does chain overlay support sasl binding?
Pierangelo Masarati wrote:
> Simon Gao wrote:
>
>
>> That's great to know. Do you think following setup will work on a consumer?
>>
>> =========================================================
>> overlay chain
>> chain-rebind-as-user FALSE
>>
>> chain-uri ldaps://provider/
>> chain-rebind-as-user TRUE
>> chain-idassert-bind bindmethod=sasl
>> saslmech=GSSAPI
>>
>> binddn="uid=host/consumer1,cn=gssapi,cn=auth
>> mode="self"
>> =========================================================
>>
>> I have set ACL on provider so that uid=host/consumer1 has correct
>> permissions to write all attributes. But it did not work. The error
>> says that host/consumer1 not allowed to assert identity.
>>
>> Do I need to make host/consumer1 an administrative identity on provider?
>> How?
>>
>> The issue I am trying to resolve is that I prefer not putting clear text
>> password in slapd.conf. SASL binding fits such need perfectly if I can
>> get it work with chain overlay.
>>
>
> It appears that authz is not allowed by the provider for that identity.
> You need to make sure that host/consumer1 has an authzTo rule that
> allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
>
>
I am not making much progress. Here what I tried to add to provider's
slapd.conf:
authz-policy both
authzFrom dn.exact:uid=host/consumer1,cn=GSSAPI,cn=auth
authzTo dn.subtree:ou=people,dc=example,dc=com
Anything I missed?
Simon