I have a consumer server (2.4.57) that successfully forwards
pwdFailureTime modifications to the master server using GSSAPI
authentication. I want to replace GSSAPI with certificate-based (SASL
EXTERNAL) authentication along with proxy authorization. Basically, I
want to configure the equivalent of the following command line:
LDAPTLS_KEY=server.key LDAPTLS_CERT=server.crt \
ldapmodify -Z -Y EXTERNAL \
-e '!authzid=dn:cn=proxydn,dc=example,dc=com' -e relax \
-h ldap-master.example.com -f update_pwdfailuretime.ldif
The command line works as expected -- it authenticates successfully
using the server certificate, and then does PROXYAUTHZ to
cn=proxydn,dc=example,dc=com to perform the modify operation. The issue
is when I try to configure this behavior with chain on the consumer
server. I've tried various incantations along these lines:
chain-idassert-bind bindmethod=SASL saslmech=EXTERNAL
tls_cert=server.crt tls_key=tls.key authzId=dn:cn=proxydn,dc=example,dc=com
The SASL EXTERNAL authentication works fine -- It binds to the master
with the DN mapped from the certificate's subject. But it doesn't do the
proxyauthz to cn=proxydn,dc=example,dc=com. I've read through the docs
in detail and tried various modes, flags and other settings, but I can't
get it to do the proxy authz.
Does anyone have a known working config for this kind of setup that they
can share? Otherwise, any suggestions on the best way to troubleshoot
this further would be great.
Thanks,
-Kartik
