--On Monday, April 18, 2022 6:49 PM +0000 [email protected] wrote:
Hope this helps clarify what I'm looking for.
Hi Kartik,
We do something similar at Klarna. Our olcDbIDAssertBind configuration is:
olcDbIDAssertBind: mode=self
flags=override,prescriptive,proxy-authz-critical bindmethod=sasl
saslmech=external tls_cert=... tls_key=... tls_cacert=...
Then our olcSyncrepl config has:
olcSyncrepl rid=001 provider=... bindmethod=sasl saslmech=external
authzid="dn:cn=replicator,..." searchbase=... type=... keepalive=...
retry=... tls_cert=... tls_key=... tls_cacert=... timeout=..
I would note that we also have a custom patch applied to the OpenLDAP 2.4
series to fix an issue with proxy authorization (It does not fully apply to
2.5+) and ACL evaluation using the wrong identity.
--Quanah
