Hello!
I've implemented a simple openldap master and consumer architecture. To achieved this, I had to implement back-ldap chain overlay (in order to have a read only "slave"), and syncprov overlay, to synchronize data from master to the slave.
This implementation works fine. I have data from the master, replicated into the slave. When I try to modify an object from the consumer using the administrative account "cn=admin,dc=company,dc=com", references the modify command to the master. The master performs the operation and returns the consumer the operation result.
When I try to perform any modify operation with another authorized account, I get the following error
LDAP said: | Proxied Authorization Denied |
Error number: | 0x7b () |
Description: |
The account has permission to write the whole tree in both, the master and the slave. Here is my config on both servers:
#-------
# Master
#-------
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=comdc=company,dc=com" write by anonymous read by * none
olcAccess: {1}to attrs=shadowWarning,shadowMax,shadowMin by self write by dn="cn=admin,dc=company,dc=com" write by
dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by
anonymous read by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=company,dc=com" write by dn="cn=idm,ou=Seguridad,dc=company,dc=com" write by * read
#-------
# Consumer
#-------
dn: cn=module,cn=config
changetype: add
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: syncprov
olcModuleLoad: back_ldap
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcSyncRepl
olcSyncRepl: rid=001 provider=ldap://
192.168.123.139 binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" bindmethod=simple credentials=0p3n1d4pPr0d% searchbase="dc=bandes,dc=gob,dc=ve" type=refreshAndPersist scope=sub retry="5 10 10 +" timeout=1 sizelimit=unlimited schemachecking=on
-
add: olcUpdateRef
olcUpdateRef: ldap://
192.168.123.139dn: olcOverlay=chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: chain
olcChainReturnError: TRUE
olcChainMaxReferralDepth: 1
dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: ldap
olcDbURI: ldap://
192.168.123.139olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbProxyWhoAmI: TRUE
olcDbNoRefs: FALSE
olcDBIDAssertAuthzFrom: *
olcDBACLBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d%
olcDbIDAssertBind: bindmethod="simple" binddn="cn=syncReplUser,ou=Seguridad,dc=bandes,dc=gob,dc=ve" credentials=0p3n1d4pPr0d% mode="self" flags="prescriptive,proxy-authz-non-critical"