Re: openldap 2.4.11 slave update chaining

[Guillaume Rousse <Guillaume.Rousse@inria.fr>]

Alan Evans a écrit :
> I have read through the docs over and over and I am still not quite able 
> to wrap my head around idassert-bind and chaining.  Can someone please 
> help me figure this configuration out.
>
> I have a ldap master and ldap slave and I want the slave to chain 
> updates to the master so the clients don't have to worry about following 
> referrals.
>
> I am successful in getting the slave to follow the referral and return 
> errors from the master however with various combinations of 
> idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get 
> errors about insufficent access or needing more rights.
>
>    1. Client binds with dn and password to slave
>    2. Client submits modify request to slave
>    3. Slave binds to master with binddn (bindmethod=simple)
>    4. Slave rebinds to master with dn and password provided by the
>       client (mode=self, chain-rebind-as-user TRUE)
>    5. Slave submits modify to master as client (chain is global)
>    6. Master checks client's dn for access
>    7. Master performs update
>    8. Master returns result to slave
>    9. Slave returns result to client
Not exactly what you need, but chaining works OK for me, using a proxy 
user (no rebind-as-user policy)

In the slave:
chain-idassert-authzFrom "*"

In the master:
# proxy authorization policy
authz-policy to

And my proxy entry:
# chain, roles, futurs.inria.fr
dn: cn=chain,ou=roles,dc=futurs,dc=inria,dc=fr
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: chain
description: slave server proxy user
authzTo: dn:*

--
Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62