[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chaining question



Tony Earnshaw wrote:

> The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build
> machine. But when I put these ad lib into slapd.conf on the consumer,
> they don't.
> 
> What doesn't work after 'moduleload  back_ldap.la':
> 
> overlay chain
> chain-uri               ldap://mercurius.intern/
> chain-idassert-bind     bindmethod=simple
>                         binddn="cn=proxy,dc=barlaeus,dc=nl"
>                         credentials=secret
>                         mode=self

What do you mean "doesn't work"?  Do you mean that it doesn't chain
anonymous searches?  Did you try an authenticated search?  Anonymous
operation chaining is implicitly disabled by the idassert-bind
directive, as you can see from slapd-ldap(5).

If you want to let them thru anonymously you need to add
"flags=non-prescriptive" to the idassert-bind statement; if you want
anonymous to be asserted as anonymous as well, leave the idassert-bind
statement as is, and add

chain-idassert-authzFrom	"*"



> chain-tls               start
> 
> Apart from chain-tls, this is almost verbatim what the two tests use.
> 
> I finally noticed from the SLAPO-CHAIN man page, not having seen the
> wood for the trees, the following:
> 
> "Directives for configuring the underlying ldap database may also be
> required, as shown in this example:".
> 
> So I tried the example, and this chaining config does work on the consumer:
> 
> overlay chain
> chain-rebind-as-user    FALSE
> 
> chain-uri               ldap://mercurius.intern/
> chain-rebind-as-user    TRUE
> chain-idassert-bind     bindmethod=simple
>                         binddn="cn=proxy,dc=barlaeus,dc=nl"
>                         credentials=secret
>                         mode=self
> chain-tls               start
> 
> Could someone please explain why the configuration for the two tests
> should pass, while it doesn't on my consumer, and why the config with
> the two chain-rebind-as-user stanzas does?

I don't think that adding chain-rebind-as-user really makes any
difference, because rebinding as user makes no sense if you use identity
assertion: the user is not going to rebind anyway, as its identity is
going to be asserted.  The only thing that could change is in case
chaining implies further referral chasing, i.e. if while chaining the
operation another referral is encountered.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------