Re: overlay chain [RESOLVED]

[manu@netbsd.org (Emmanuel Dreyfus)]

Emmanuel Dreyfus <manu@netbsd.org> wrote:

> overlay                 chain
> chain-uri               ldaps://ldapmaster.example.net
> chain-idassert-bind     bindmethod=sasl
>                         saslmech=EXTERNAL
>                         binddn="cn=foo"
>                         mode=self
> chain-idassert-authzFrom "*"
> chain-return-error TRUE

> It did work with 2.3 but seems broken in 2.4. The slave accepts the
> client's connexion, but when it attempts to do the modification:
> 
> modifying entry "uid=foo,o=example"
> ldap_modify: Authentication method not supported (7)
> 
> Any hint appreciated

Here is the answer: since 2.4, when slapd acts as a client, certificate
information (key, cert and CA) must be explicitely provided: the server
side settings from TLSCertificateFile, TLSCertificateKeyFile and
TLSCACertificateFile are never used.

So here is the overlay chain configuration that works using x509
certificates for authentication to the LDAP master (binddn is still both
mandatory and ignored)

overlay                 chain
chain-uri               ldaps://ldapmaster.example.net
chain-idassert-bind     bindmethod=sasl
                        saslmech=EXTERNAL
                        binddn="cn=dontcare"
                        tls_cert=/etc/openssl/certs/ldapslave1.crt
                        tls_key=/etc/openssl/private/ldapslave1.key
                        tls_cacert=/etc/openssl/certs/ca.crt
                        tls_reqcert=demand
                        mode=self
chain-idassert-authzFrom "*"
chain-return-error TRUE




-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org