chaining question

[Tony Earnshaw <tonni@hetnet.nl>]

I finally got chaining working on our OL 2.3.37 (I'll be updating) delta 
syncrepl Samba consumer. It used to work before and stopped around OL 
2.3.24 - unfortunately I don't know exactly which version.

The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build 
machine. But when I put these ad lib into slapd.conf on the consumer, 
they don't.

What doesn't work after 'moduleload  back_ldap.la':

overlay chain
chain-uri               ldap://mercurius.intern/
chain-idassert-bind     bindmethod=simple
                        binddn="cn=proxy,dc=barlaeus,dc=nl"
                        credentials=secret
                        mode=self
chain-tls               start

Apart from chain-tls, this is almost verbatim what the two tests use.

I finally noticed from the SLAPO-CHAIN man page, not having seen the 
wood for the trees, the following:

"Directives for configuring the underlying ldap database may also be 
required, as shown in this example:".

So I tried the example, and this chaining config does work on the consumer:

overlay chain
chain-rebind-as-user    FALSE

chain-uri               ldap://mercurius.intern/
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod=simple
                        binddn="cn=proxy,dc=barlaeus,dc=nl"
                        credentials=secret
                        mode=self
chain-tls               start

Could someone please explain why the configuration for the two tests 
should pass, while it doesn't on my consumer, and why the config with 
the two chain-rebind-as-user stanzas does?

Best,

--Tonni

--
Tony Earnshaw
Email: tonni at hetnet dot nl