Re: Does chain overlay support sasl binding?

[Simon Gao <gao@schrodinger.com>]

Simon Gao wrote:
>> It appears that authz is not allowed by the provider for that identity.
>>  You need to make sure that host/consumer1 has an authzTo rule that
>> allows it to proxyAuthz, and you need to allow the appropriate authz-policy.
>>
>>   
>>     
> I am not making much progress. Here what I tried to add to provider's
> slapd.conf:
>
> authz-policy    both
> authzFrom       dn.exact:uid=host/consumer1,cn=GSSAPI,cn=auth
> authzTo         dn.subtree:ou=people,dc=example,dc=com
>
>
> Anything I missed?
>
>   
I am making some progress on this. Following example test014, I am able
to get sasl bind working.

I still have two questions.

1)For chain-idassert-bind, if I put bindmethod, saslmech, binddn, mode
on each individual line, then sasl binding does not work. They all must
be on the same one line. Any reason why multiple line works for simple
bind, but not for sasl binding? The inconsistency will cause more
efforts in troubleshooting.

2)Is it possible to add authzTo/authzFrom at
"ou=people,dc=example,dc=com" level and all the child entry be proxy
authenticated?

Simon