[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-chain

To: ando@sys-net.it (Pierangelo Masarati)
Subject: Re: slapo-chain
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Sun, 9 Sep 2007 23:44:36 +0200
Cc: openldap-software@openldap.org
In-reply-to: <46E44D23.3070305@sys-net.it>
User-agent: MacSOUP/2.7 (unregistered for 233 days)

Pierangelo Masarati <ando@sys-net.it> wrote:

> > But the modification operation is done using the identity from the
> > replica TLS certificate (which fails) and not from the initial user.
> 
> Owing to a "feature" in idassert code, an authcId or a binddn must be
> present for the proxyAuthz control to be successfully added to the
> chained request.
> 
> If you use mechs like EXTERNAL, it's going to be empty, resulting in the
> behavior you observed.  Please try adding whatever to authcId or binddn
> (for example binddn="cn=chain") and report. 

It does alter the behavior: now I get this on the master
Sep  9 23:41:10 ldap0 slapd[5365]: conn=170 op=1 RESULT tag=103 err=47
text=not authorized to assume identity 

And the BIND operation still shows the TLS certificate DN for both
authzid and authcid: the binddn or authcid I provide does not appear.

Do I miss some directive on the master to allow the proxy authorization?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: slapo-chain
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Re: slapo-chain
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: dn aliases?
Next by Date: Re: slapo-chain
Index(es):
- Chronological
- Thread