Re: overlay chain

[manu@netbsd.org (Emmanuel Dreyfus)]

Ed Greenberg <edg@greenberg.org> wrote:

> overlay                 chain
> chain-rebind-as-user    FALSE
> 
> chain-uri               "ldap://master.mydomain.com";
> chain-rebind-as-user    TRUE
> chain-idassert-bind     bindmethod="simple"
>                         binddn="cn=Manager,dc=mydomain,dc=com"
>                         credentials="secret"
>                         mode="self"  

I have this on the slave. The cn=foo is a bug workaround for getting it
working with certificates

overlay                 chain
chain-uri               ldaps://ldapmaster.example.net
chain-idassert-bind     bindmethod=sasl
                        saslmech=EXTERNAL
                        binddn="cn=foo"
                        mode=self
chain-idassert-authzFrom "*"
chain-return-error TRUE


On the master. The autz-regexp maps the CN from the certificate to a DN
in the tree
authz-policy    to
authz-regexp    cn=ldapslave1.example.net
                         cn=ldapslave1.example.net,o=example
(...)
access to attrs=authzTo
    by * read stop


And finally, in the LDAP tree:
dn: cn=ldapslave1.example.net,o=example
authzTo: *

It did work with 2.3 but seems broken in 2.4. The slave accepts the
client's connexion, but when it attempts to do the modification:

modifying entry "uid=foo,o=example"
ldap_modify: Authentication method not supported (7)

Any hint appreciated

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org