[Date Prev][Date Next] [Chronological] [Thread] [Top]

Possible to rebind-as-user with chain overlay using TLS client certificates?

Hey all,

We've got a fairly straightforward producer/consumer setup with a single producer and multiple syncrepl consumers configured with an updateref back to the producer. The consumers are set up to use the chain overlay with the ldap backend for transparent password updates. We use TLS client certificates to authenticate the clients to the consumers and the consumers to the producers with SASL EXTERNAL binds.

However, I've been struggling with configuring what I had hoped would be a simple part of the setup. We would like the ability to have the user simple bind as themselves to the consumer and then have the chain overlay transparently follow the updateref back to the producer and rebind as the user there to do the PASSMOD update. For whatever reason, I haven't been successful at making that happen. I've tried several attempts at various back_ldap configurations, to no avail. By playing with the olcDbIdAssertBind and various mode/flags, I can get the backend to attempt ProxyAuth (which we'd prefer not to use if possible), and alternatively I am able to get the chain to anonymously bind, but I am not able to initiate a rebind as the originating user.

We're running slapd 2.4.31 under Debian Wheezy on the producer and a variety of 2.4.31 and 2.4.40 slapd consumers under Debian Wheezy and Debian Jesse, respectively. 

I was hoping you'd be able to shed some light whether this is even possible? Attached are the most recent configuration that I believe should work for my needs.



Current consumer config:

dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
structuralObjectClass: olcChainConfig

dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
structuralObjectClass: olcLDAPConfig
olcDbURI: ldap://ldap-primary
olcDbRebindAsUser: TRUE
olcDbStartTLS: start tls_cert=/etc/ssl/certs/ldap-consumer.crt tls_key=/etc/ssl/private/ldap-consumer.key tls_cacert=/usr/share/ca-certificates/cosmos/ldap_producer_ca_pem.crt

Matt Kemp
Production Engineer