[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: openldap 2.4.11 slave update chaining
Alan Evans a écrit :
I have read through the docs over and over and I am still not quite able
to wrap my head around idassert-bind and chaining. Can someone please
help me figure this configuration out.
I have a ldap master and ldap slave and I want the slave to chain
updates to the master so the clients don't have to worry about following
referrals.
I am successful in getting the slave to follow the referral and return
errors from the master however with various combinations of
idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get
errors about insufficent access or needing more rights.
1. Client binds with dn and password to slave
2. Client submits modify request to slave
3. Slave binds to master with binddn (bindmethod=simple)
4. Slave rebinds to master with dn and password provided by the
client (mode=self, chain-rebind-as-user TRUE)
5. Slave submits modify to master as client (chain is global)
6. Master checks client's dn for access
7. Master performs update
8. Master returns result to slave
9. Slave returns result to client
Not exactly what you need, but chaining works OK for me, using a proxy
user (no rebind-as-user policy)
In the slave:
chain-idassert-authzFrom "*"
In the master:
# proxy authorization policy
authz-policy to
And my proxy entry:
# chain, roles, futurs.inria.fr
dn: cn=chain,ou=roles,dc=futurs,dc=inria,dc=fr
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: chain
description: slave server proxy user
authzTo: dn:*
--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62