Pierangelo Masarati wrote: > Simon Gao wrote: > > >> That's great to know. Do you think following setup will work on a consumer? >> >> ========================================================= >> overlay chain >> chain-rebind-as-user FALSE >> >> chain-uri ldaps://provider/ >> chain-rebind-as-user TRUE >> chain-idassert-bind bindmethod=sasl >> saslmech=GSSAPI >> >> binddn="uid=host/consumer1,cn=gssapi,cn=auth >> mode="self" >> ========================================================= >> >> I have set ACL on provider so that uid=host/consumer1 has correct >> permissions to write all attributes. But it did not work. The error >> says that host/consumer1 not allowed to assert identity. >> >> Do I need to make host/consumer1 an administrative identity on provider? >> How? >> >> The issue I am trying to resolve is that I prefer not putting clear text >> password in slapd.conf. SASL binding fits such need perfectly if I can >> get it work with chain overlay. >> > > It appears that authz is not allowed by the provider for that identity. > You need to make sure that host/consumer1 has an authzTo rule that > allows it to proxyAuthz, and you need to allow the appropriate authz-policy. > > I am not making much progress. Here what I tried to add to provider's slapd.conf:
authz-policy both authzFrom dn.exact:uid=host/consumer1,cn=GSSAPI,cn=auth authzTo dn.subtree:ou=people,dc=example,dc=com Anything I missed? Simon
