[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.4.11 slave update chaining

Alan Evans a écrit :
I have read through the docs over and over and I am still not quite able to wrap my head around idassert-bind and chaining. Can someone please help me figure this configuration out.

I have a ldap master and ldap slave and I want the slave to chain updates to the master so the clients don't have to worry about following referrals.

I am successful in getting the slave to follow the referral and return errors from the master however with various combinations of idassert-bind bindmethod=(none,simple) and mode=(self, legacy) I get errors about insufficent access or needing more rights.

   1. Client binds with dn and password to slave
   2. Client submits modify request to slave
   3. Slave binds to master with binddn (bindmethod=simple)
   4. Slave rebinds to master with dn and password provided by the
      client (mode=self, chain-rebind-as-user TRUE)
   5. Slave submits modify to master as client (chain is global)
   6. Master checks client's dn for access
   7. Master performs update
   8. Master returns result to slave
   9. Slave returns result to client
Not exactly what you need, but chaining works OK for me, using a proxy user (no rebind-as-user policy)

In the slave:
chain-idassert-authzFrom "*"

In the master:
# proxy authorization policy
authz-policy to

And my proxy entry:
# chain, roles, futurs.inria.fr
dn: cn=chain,ou=roles,dc=futurs,dc=inria,dc=fr
objectClass: organizationalRole
objectClass: simpleSecurityObject
cn: chain
description: slave server proxy user
authzTo: dn:*

Guillaume Rousse
Service des Moyens Informatiques
INRIA Saclay - Île-de-France
Parc Orsay Université, 4 rue J. Monod
91893 Orsay Cedex France
Tel: 01 69 35 69 62