Full_Name: Cl�ment OUDOT Version: 2.4.38 OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (88.173.78.196) I set up a slave configuration with ppolicy_forward_updates feature. In my data backend config, I have: olcUpdateRef: ldap://localhost:389 And I created the chain overlay and a sub ldap backend like this: dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: top objectClass: olcConfig objectClass: olcChainConfig objectClass: olcOverlayConfig olcOverlay: {0}chain dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDatabase: {0}ldap olcDbIDAssertBind: bindmethod="simple" binddn="cn=admin,dc=example,dc=com" credentials="secret" mode="none" This configuration do not work: the BIND on the master server is done anonymously, despite the olcDbIDAssertBind value. To work, I need to add: olcDbUri: ldap://localhost:389 Seems the problem exist in OpenLDAP unit test 32, see tests/data/slapd-chain1.conf : # uses the chain overlay as global; # no chain-URI is configured, so the URI is parsed out of the referral overlay chain chain-uri @URI2@ chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=example,dc=com" credentials=secret mode=self flags=non-prescriptive The comment say "no chain-URI is configured', but the chain-uri is configured. Where is the truth?
If a URI is not configured, it is then "unknown" and will only be chased anonymously. For bind assert to work, the URI must be configured. Documentation may need updating to reflect this.
slapo-chain already says "All URIs not listed in the configuration are chained anonymously", works as designed.