Matthew Kemp wrote:
On Thu, Apr 20, 2017 at 6:36 AM, mailing lists <[email protected]
<mailto:[email protected]>> wrote:
Hello,
I am testing the chain overlay from a read-only slave (consumer) slapd
server to a read-write master (provider), but what I am seeing is an
anonymous bind from the consumer to the provider instead of the
authorization identity configurated in the chain directive.
We're also seeing the same behavior and reported a similar issue last month to
this list:
http://www.openldap.org/lists/openldap-technical/201703/msg00047.html
I'm hopeful we can track down this issue as it's causing us some issues that
we'll need to resolve eventually.
Only ProxyAuth will work, now.
As documented, the chain overlay only intercepts responses to operations, and
only acts when it sees a referral in the response. In order for rebind-as-user
to work, the overlay would need to intercept Bind requests and cache the
credentials, but it never intercepts Bind requests, therefore it has nothing
to rebind with. It *could* intercept referrals from Bind responses, and grab
the user's credentials at that point. But back in 2004 we turned those off,
and slapd now will never return a referral to a Bind request. (commit
100facedf3c9ec241121a5e3ad7aa059a7c57bc2 in git.) Probably we should remove
references to rebind-as-user from the slapo-chain(5) manpage now, since that
commit basically killed this feature.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
