Pierangelo Masarati <[EMAIL PROTECTED]> wrote: > > But the modification operation is done using the identity from the > > replica TLS certificate (which fails) and not from the initial user. > > Owing to a "feature" in idassert code, an authcId or a binddn must be > present for the proxyAuthz control to be successfully added to the > chained request. > > If you use mechs like EXTERNAL, it's going to be empty, resulting in the > behavior you observed. Please try adding whatever to authcId or binddn > (for example binddn="cn=chain") and report.
It does alter the behavior: now I get this on the master Sep 9 23:41:10 ldap0 slapd[5365]: conn=170 op=1 RESULT tag=103 err=47 text=not authorized to assume identity And the BIND operation still shows the TLS certificate DN for both authzid and authcid: the binddn or authcid I provide does not appear. Do I miss some directive on the master to allow the proxy authorization? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz [EMAIL PROTECTED]
