passwd, proxying, and idassert-authzFrom

["David Magda" <dmagda@ee.ryerson.ca>]

Hello,

I have a master OpenLDAP server, with a bunch of slaves, and then Linux
clients talking to the slaves. We've used olcUpdateRef/updateref for a
while, but have a situation where we need to proxy connection on behalf of
clients via the slaves.

So we have configured a slapo-chain(5) overlay, with the following settings:

    olcDbURI: ldap://10.0.0.555/
    olcDbIDAssertBind: bindmethod=simple \
        binddn="cn=update,dc=example,dc=ca" \
        credentials=s3cr3t mode=self
    olcDbRebindAsUser: TRUE

However, when users try to run passwd(1) (with pam_ldap.conf(5) having the
"pam_password exop" setting) they get:

> LDAP password information update failed: Strong(er) authentication required
only authenticated users may change passwords
> passwd: Permission denied
> passwd: password unchanged

On the master, we have:

> Apr 12 13:14:00 ops slapd[26119]: conn=16 fd=32 ACCEPT from
IP=111.222.333.444:59985 (IP=0.0.0.0:389)
> Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 BIND dn="" method=128
> Apr 12 13:14:00 ops slapd[26119]: conn=16 op=0 RESULT tag=97 err=0 text=
> Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 EXT
oid=1.3.6.1.4.1.4203.1.11.1
> Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 PASSMOD
> Apr 12 13:14:00 ops slapd[26119]: conn=16 op=1 RESULT oid= err=8
text=only authenticated users may change passwords

The (cn=update...) DN has an "authzTo" attribute set to
"{0}dn.regex:^uid=[^,]+,ou=People,dc=example,dc=ca".

I'm guessing I may need to set idassert-authzFrom (olc equiv?) to
something. Is this correct? If so, should it be restricted to ou=People?
If not, what am I missing?

Thanks for any info.

Regards,
David