[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-chain

Pierangelo Masarati <ando@sys-net.it> wrote:

> > But the modification operation is done using the identity from the
> > replica TLS certificate (which fails) and not from the initial user.
> Owing to a "feature" in idassert code, an authcId or a binddn must be
> present for the proxyAuthz control to be successfully added to the
> chained request.
> If you use mechs like EXTERNAL, it's going to be empty, resulting in the
> behavior you observed.  Please try adding whatever to authcId or binddn
> (for example binddn="cn=chain") and report. 

It does alter the behavior: now I get this on the master
Sep  9 23:41:10 ldap0 slapd[5365]: conn=170 op=1 RESULT tag=103 err=47
text=not authorized to assume identity 

And the BIND operation still shows the TLS certificate DN for both
authzid and authcid: the binddn or authcid I provide does not appear.

Do I miss some directive on the master to allow the proxy authorization?

Emmanuel Dreyfus