[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: overlay chain
Emmanuel Dreyfus <manu@netbsd.org> wrote:
> modifying entry "uid=foo,o=example"
> ldap_modify: Authentication method not supported (7)
>
> Any hint appreciated
Trying with debug output: The replica slapd sends its certificate to the
master, which accepts it. But the master slapd just grants an anonymous
bind for that. It suggets something gors wrong with authz-regexp
clauses, but I fail to understand why they stopped working after 2.4
upgrade.
On the master (edited to retain only relevant parts)
TLS trace: SSL_accept:before/accept initialization
TLS trace: SSL_accept:SSLv3 read client hello A
TLS trace: SSL_accept:SSLv3 write server hello A
TLS trace: SSL_accept:SSLv3 write certificate A
TLS trace: SSL_accept:SSLv3 write certificate request A
TLS trace: SSL_accept:SSLv3 flush data
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS trace: SSL_accept:error in SSLv3 read client certificate A
TLS certificate verification: depth: 1, err: 0, subject: <CA cert>
TLS certificate verification: depth: 0, err: 0, subject: <replica cert>
TLS trace: SSL_accept:SSLv3 read client certificate A
TLS trace: SSL_accept:SSLv3 read client key exchange A
TLS trace: SSL_accept:SSLv3 read certificate verify A
TLS trace: SSL_accept:SSLv3 read finished A
TLS trace: SSL_accept:SSLv3 write change cipher spec A
TLS trace: SSL_accept:SSLv3 write finished A
TLS trace: SSL_accept:SSLv3 flush data
conn=8 op=0 BIND dn="" method=128
conn=8 op=0 RESULT tag=97 err=0 text=
do_bind: v3 anonymous bind
So, what is the culprit? replica's settings?
overlay chain
chain-uri ldaps://ldapmaster.exemple.net:636
chain-idassert-bind bindmethod=sasl
saslmech=EXTERNAL
binddn="cn=foo"
mode=self
chain-idassert-authzFrom "*"
chain-return-error TRUE
Or the master' settings?
authz-policy to
authz-regexp cn=ldapreplica1.example.net
cn=ldapreplica1.example.net,o=example
--
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org