--On Saturday, April 22, 2023 6:07 PM +0200 Benjamin Renard
<bren...@easter-eggs.com> wrote:
you failed to provide any OpenLDAP version information.
You'r right, I'm using slapd 2.4.57+dfsg-3+deb11u1 (on Debian stable).
Hi,
As a side note, OpenLDAP 2.4 series is historic and no longer supported. I
believe Debian has 2.5 available in backports for stable? Or there are
builds for currently supported release series available from Symas or the
LTB project:
<https://repo.symas.com/>
<https://ltb-project.org/download.html>
with that out of the way....
If you read the admin guide
(<https://www.openldap.org/doc/admin25/overlays.html#Chaining>), it is
explicitly stated that the chain configuration exists before any database
definitions (i.e., in the frontend). Here's what my cn=config looks like
for chain and back-ldap sitting on top of it with OpenLDAP 2.6. Note that
I populate both olcDbACLBind and olcDbIDAssertBind:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn:
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: ldaps://<provider>:<port>
olcDbACLBind: bindmethod=...
olcDbIDAssertBind: mode=self ...
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 8
olcDbSessionTrackingRequest: TRUE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
Hope that helps!
Regards,
Quanah
