Re: Does chain overlay support sasl binding?

[Simon Gao <gao@schrodinger.com>]

Pierangelo Masarati wrote:
> Simon Gao wrote:
>   
>> Hi,
>>
>> I'd like to know if chain overlay currently supports sasl binding or not
>> with OpenLDAP 2.3.35.
>>
>> Since both idassert-bind and chain-idassert-bind are handled by ldap
>> backend, can I assume sasl binding should be available to chain overlay
>> also?
>>     
>
> Yes, it does.  But, of course, it cannot bind with the user's
> credentials.  It can use SASL bind when exploiting the idassert feature,
> namely to bind as an administrative identity to proxyAuthz the user's
> identity.
>
>   
That's great to know. Do you think following setup will work on a consumer?

=========================================================
overlay                 chain
chain-rebind-as-user    FALSE

chain-uri               ldaps://provider/
chain-rebind-as-user    TRUE
chain-idassert-bind    bindmethod=sasl
                                   saslmech=GSSAPI
                                  
binddn="uid=host/consumer1,cn=gssapi,cn=auth
                                   mode="self"
=========================================================

I have set ACL on provider so that uid=host/consumer1 has correct
permissions to write all attributes.  But it did not work. The error
says that host/consumer1 not allowed to assert identity.

Do I need to make host/consumer1 an administrative identity on provider?
How?

The issue I am trying to resolve is that I prefer not putting clear text
password in slapd.conf. SASL binding fits such need perfectly if I can
get it work with chain overlay.

Thanks,

Simon