Re: Does chain overlay support sasl binding?

[Simon Gao <gao@schrodinger.com>]

Pierangelo Masarati wrote:
> Simon Gao wrote:
>
>   
>> That's great to know. Do you think following setup will work on a consumer?
>>
>> =========================================================
>> overlay                 chain
>> chain-rebind-as-user    FALSE
>>
>> chain-uri               ldaps://provider/
>> chain-rebind-as-user    TRUE
>> chain-idassert-bind    bindmethod=sasl
>>                                    saslmech=GSSAPI
>>                                   
>> binddn="uid=host/consumer1,cn=gssapi,cn=auth
>>                                    mode="self"
>> =========================================================
>>
>> I have set ACL on provider so that uid=host/consumer1 has correct
>> permissions to write all attributes.  But it did not work. The error
>> says that host/consumer1 not allowed to assert identity.
>>
>> Do I need to make host/consumer1 an administrative identity on provider?
>> How?
>>
>> The issue I am trying to resolve is that I prefer not putting clear text
>> password in slapd.conf. SASL binding fits such need perfectly if I can
>> get it work with chain overlay.
>>     
>
> It appears that authz is not allowed by the provider for that identity.
>  You need to make sure that host/consumer1 has an authzTo rule that
> allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
>
>   
I am not making much progress. Here what I tried to add to provider's
slapd.conf:

authz-policy    both
authzFrom       dn.exact:uid=host/consumer1,cn=GSSAPI,cn=auth
authzTo         dn.subtree:ou=people,dc=example,dc=com


Anything I missed?

Simon