[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-chain

Emmanuel Dreyfus wrote:

> But the modification operation is done using the identity from the
> replica TLS certificate (which fails) and not from the initial user.

Owing to a "feature" in idassert code, an authcId or a binddn must be
present for the proxyAuthz control to be successfully added to the
chained request.

If you use mechs like EXTERNAL, it's going to be empty, resulting in the
behavior you observed.  Please try adding whatever to authcId or binddn
(for example binddn="cn=chain") and report.  You may file an ITS for
this, if you like.  I'm fixing it anyway.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it