[Date Prev][Date Next] [Chronological] [Thread] [Top]

Slapd - Back-ldap Chain overlay: Proxied Authorization Denied



Hello!

I've implemented a simple openldap master and consumer architecture. To achieved this, I had to implement back-ldap chain overlay (in order to have a read only "slave"), and syncprov overlay, to synchronize data from master to the slave.

This implementation works fine. I have data from the master, replicated into the slave. When I try to modify an object from the consumer using the administrative account "cn=admin,dc=company,dc=com", references the modify command to the master. The master performs the operation and returns the consumer the operation result.

When I try to perform any modify operation with another authorized account, I get the following error

LDAP said:Proxied Authorization Denied
Error number:0x7b ()
Description:

The account has permission to write the whole tree in both, the master and the slave. Here is my config on both servers:

#-------
# Master
#-------
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=comdc=company,dc=com" write by anonymous read by * none
olcAccess: {1}to attrs=shadowWarning,shadowMax,shadowMin by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by anonymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by * read

#-------
# Consumer
#-------
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov
olcModuleLoad: back_ldap

dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov

dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://192.168.123.139 binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" bindmethod=simple credentials=0p3n1d4pPr0d% searchbase="dc=bandes,dc=gob,dc=ve" type=refreshAndPersist scope=sub retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on
-
add: olcUpdateRef
olcUpdateRef: ldap://192.168.123.139

dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: chain
olcChainReturnError: TRUE
olcChainMaxReferralDepth: 1

dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: ldap://192.168.123.139
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbProxyWhoAmI: TRUE
olcDbNoRefs: FALSE
olcDBIDAssertAuthzFrom: *
olcDBACLBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d%
olcDbIDAssertBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d% mode="self" flags="prescriptive,proxy-authz-non-critical"

Hope someone can help me out! Thanks in advanced