[Date Prev][Date Next]
Re: chaining question
Pierangelo Masarati skrev, on 05-09-2007 09:18:
The 2 2.3.37 and .38 chaining tests, 018 and 032 pass on my build
machine. But when I put these ad lib into slapd.conf on the consumer,
What doesn't work after 'moduleload back_ldap.la':
What do you mean "doesn't work"? Do you mean that it doesn't chain
anonymous searches? Did you try an authenticated search? Anonymous
operation chaining is implicitly disabled by the idassert-bind
directive, as you can see from slapd-ldap(5).
"Doesn't work" means that I get tag=103 err=10 in the consumer log
(loglevel 256), the client gets a referral. No clients on the consumer
other than Samba tools understand this, so referrals aren't followed by
I'm not binding to the consumer anonymously, I'm binding as
"cn=proxy,dc=barlaeus,dc=nl" who has full authZTo rights. I'd expect the
above chain-idassert-bind to work, as it does in the tests, and it doesn't.
If you want to let them thru anonymously you need to add
"flags=non-prescriptive" to the idassert-bind statement; if you want
anonymous to be asserted as anonymous as well, leave the idassert-bind
statement as is, and add
None of this is in test018 or test23. My above stanzas conform
completely to the slapd.confs for these tests.
There's no point in binding anonymously, my ACLs prohibit all access
than auth to userPassword and all access whatsoever to most other
Could someone please explain why the configuration for the two tests
should pass, while it doesn't on my consumer, and why the config with
the two chain-rebind-as-user stanzas does?
I don't think that adding chain-rebind-as-user really makes any
difference, because rebinding as user makes no sense if you use identity
assertion: the user is not going to rebind anyway, as its identity is
going to be asserted. The only thing that could change is in case
chaining implies further referral chasing, i.e. if while chaining the
operation another referral is encountered.
I tried to go to pains to point out that the second config stanzas
*work* (again, "work" means that the referral is recognized - tag=110 -
and no error is returned), while the first stanzas *do not* work -
tag=110 err=10. I also asked for an explanation of why (when this is not
the case with the tests).
It's no good telling me that chain-rebind-as-user is useless, when:
1: it's documented - though without an explanation - in SLAPO-CHAIN, and
2: it works ("works" means the referral from the slave is accepted and
passed to the master, while a config without it doesn't).
Email: tonni at hetnet dot nl