Hey all,
We've got a fairly straightforward producer/consumer setup with a single
producer and multiple syncrepl consumers configured with an updateref back
to the producer. The consumers are set up to use the chain overlay with the
ldap backend for transparent password updates. We use TLS client
certificates to authenticate the clients to the consumers and the consumers
to the producers with SASL EXTERNAL binds.
However, I've been struggling with configuring what I had hoped would be a
simple part of the setup. We would like the ability to have the user simple
bind as themselves to the consumer and then have the chain overlay
transparently follow the updateref back to the producer and rebind as the
user there to do the PASSMOD update. For whatever reason, I haven't been
successful at making that happen. I've tried several attempts at various
back_ldap configurations, to no avail. By playing with the
olcDbIdAssertBind and various mode/flags, I can get the backend to attempt
ProxyAuth (which we'd prefer not to use if possible), and alternatively I
am able to get the chain to anonymously bind, but I am not able to initiate
a rebind as the originating user.
We're running slapd 2.4.31 under Debian Wheezy on the producer and a
variety of 2.4.31 and 2.4.40 slapd consumers under Debian Wheezy and Debian
Jesse, respectively.
I was hoping you'd be able to shed some light whether this is even
possible? Attached are the most recent configuration that I believe should
work for my needs.
Thanks!
---
Current consumer config:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
structuralObjectClass: olcChainConfig
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}
frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
structuralObjectClass: olcLDAPConfig
olcDbURI: ldap://ldap-primary
olcDbRebindAsUser: TRUE
olcDbStartTLS: start tls_cert=/etc/ssl/certs/ldap-consumer.crt
tls_key=/etc/ssl/private/ldap-consumer.key tls_cacert=/usr/share/ca-certi
ficates/cosmos/ldap_producer_ca_pem.crt
--
Matt Kemp
Production Engineer
Braintree
