(Answer) (Category) OpenLDAP Faq-O-Matic : (Category) OpenLDAP Software FAQ : (Category) Configuration : (Category) SLAPD Configuration : (Category) Replication : (Answer) How to have a slave proxying changes to the master

This can be done using slapo-chain. The slave will proxy the changes to the master on behalf of the requesting DN. Here is a sample setup:

In the slave's slapd.conf, you need a chain overlay in the global section:

overlay                  chain
chain-uri                ldaps://master.example.net
chain-idassert-bind      bindmethod=sasl
chain-idassert-authzFrom "*"
chain-return-error       TRUE

In this setup, TLS is used for communication between slave and master, hence the saslmech=EXTERNAL. binddn="cn=bugworkaround" is a bug workaround (OpenLDAP <= 2.3.38) that is required when using SASL EXTERNAL mechanism, but is useless otherwise.

On the master, the following is needed:

authz-policy    to
authz-regexp    cn=slave1.example.net
authz-regexp    cn=slave2.example.net

access to attrs=authzTo 
    by * read stop

authz-policy to specify that an user can perform a change on behalf of anyone matching its authzTo attribute.

authz-regexp clauses are needed for mapping the identity obtained from TLS certificates to an existing user's DN in the DIT.

The ACL clause is very important on the security front. If random user are allowed to change their authzTo attribute, then they can perfom a change on behalf on ay other user.

In the DIT, you need the following for each slave:

dn: cn=slave1.example.net,ou=pseudo-user,dc=example,dc=net
objectClass: organizationalRole
cn: slave1.example.net
ou: pseudo-user
authzTo: *

[Append to This Answer]
Previous: (Answer) How to automatically chase referrals on a syncrepl slave
Next: (Answer) How to set up syncrepl using tls certs (sasl external bind)
This document is: http://www.openldap.org/faq/index.cgi?file=1434
[Search] [Appearance]
This is a Faq-O-Matic 2.721.test.
© Copyright 1998-2013, OpenLDAP Foundation, info@OpenLDAP.org