[Date Prev][Date Next]
Pierangelo Masarati <firstname.lastname@example.org> wrote:
> > But the modification operation is done using the identity from the
> > replica TLS certificate (which fails) and not from the initial user.
> Owing to a "feature" in idassert code, an authcId or a binddn must be
> present for the proxyAuthz control to be successfully added to the
> chained request.
> If you use mechs like EXTERNAL, it's going to be empty, resulting in the
> behavior you observed. Please try adding whatever to authcId or binddn
> (for example binddn="cn=chain") and report.
It does alter the behavior: now I get this on the master
Sep 9 23:41:10 ldap0 slapd: conn=170 op=1 RESULT tag=103 err=47
text=not authorized to assume identity
And the BIND operation still shows the TLS certificate DN for both
authzid and authcid: the binddn or authcid I provide does not appear.
Do I miss some directive on the master to allow the proxy authorization?