[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining question

Subject: Re: chaining question
From: Tony Earnshaw <tonni@hetnet.nl>
Date: Wed, 05 Sep 2007 10:12:01 +0200
Cc: openldap-software@openldap.org
In-reply-to: <46DE5852.3010608@sys-net.it>
References: <46DCFDD8.7090000@hetnet.nl> <46DE5852.3010608@sys-net.it>
User-agent: Thunderbird 2.0.0.6 (X11/20070728)

Pierangelo Masarati skrev, on 05-09-2007 09:18:

The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build
machine. But when I put these ad lib into slapd.conf on the consumer,
they don't.

What doesn't work after 'moduleload  back_ldap.la':

overlay chain
chain-uri               ldap://mercurius.intern/
chain-idassert-bind     bindmethod=simple
                        binddn="cn=proxy,dc=barlaeus,dc=nl"
                        credentials=secret
                        mode=self


What do you mean "doesn't work"?  Do you mean that it doesn't chain
anonymous searches?  Did you try an authenticated search?  Anonymous
operation chaining is implicitly disabled by the idassert-bind
directive, as you can see from slapd-ldap(5).

"Doesn't work" means that I get tag=103 err=10 in the consumer log (loglevel 256), the client gets a referral. No clients on the consumer other than Samba tools understand this, so referrals aren't followed by them.

I'm not binding to the consumer anonymously, I'm binding as "cn=proxy,dc=barlaeus,dc=nl" who has full authZTo rights. I'd expect the above chain-idassert-bind to work, as it does in the tests, and it doesn't.

If you want to let them thru anonymously you need to add
"flags=non-prescriptive" to the idassert-bind statement; if you want
anonymous to be asserted as anonymous as well, leave the idassert-bind
statement as is, and add

chain-idassert-authzFrom "*"

None of this is in test018 or test23. My above stanzas conform completely to the slapd.confs for these tests.

There's no point in binding anonymously, my ACLs prohibit all access than auth to userPassword and all access whatsoever to most other attributes.

[...]

overlay chain
chain-rebind-as-user    FALSE

chain-uri               ldap://mercurius.intern/
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=simple
                        binddn="cn=proxy,dc=barlaeus,dc=nl"
                        credentials=secret
                        mode=self
chain-tls               start

Could someone please explain why the configuration for the two tests
should pass, while it doesn't on my consumer, and why the config with
the two chain-rebind-as-user stanzas does?

I don't think that adding chain-rebind-as-user really makes any
difference, because rebinding as user makes no sense if you use identity
assertion: the user is not going to rebind anyway, as its identity is
going to be asserted.  The only thing that could change is in case
chaining implies further referral chasing, i.e. if while chaining the
operation another referral is encountered.

I tried to go to pains to point out that the second config stanzas *work* (again, "work" means that the referral is recognized - tag=110 - and no error is returned), while the first stanzas *do not* work - tag=110 err=10. I also asked for an explanation of why (when this is not the case with the tests).

It's no good telling me that chain-rebind-as-user is useless, when:

1: it's documented - though without an explanation - in SLAPO-CHAIN, and 2: it works ("works" means the referral from the slave is accepted and passed to the master, while a config without it doesn't).

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl

Follow-Ups:
- Re: chaining question
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- chaining question
  - From: Tony Earnshaw <tonni@hetnet.nl>
- Re: chaining question
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: Automatic referral chasing
Next by Date: Monitor the SyncRepl replication status
Index(es):
- Chronological
- Thread