Hello,
You'r right, 2.5 is available in backports, but I still preferred to
used stable version for fast delivery of security update. The next
release of Debian is coming soon, I will update my installations at this
time.
I reconfigure chaining on frontend instead on the database, but I still
have problem. Same as before, if I try to connect on LDAP slave with a
bad password, the error is not reported on LDAP master and I have
nothing in logs (level stats) that suggested it tried.
Furthermore, I tried to make a change on LDAP to test the chaining and I
have the following error :
ldap_modify: Proxied Authorization Denied (123)
So, I mean I have an error to fix in chaining before hoping
olcPPolicyForwardUpdates will works.
See next my chaining configuration :
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
objectClass: top
olcOverlay: {0}chain
olcChainReturnError: TRUE
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase=
{-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
objectClass: top
olcDatabase: {0}ldap
olcDbURI: ldaps://ldap-master
olcDbCancel: abandon
olcDbChaseReferrals: TRUE
olcDbConnectionPoolMax: 8
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: FALSE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbSingleConn: FALSE
olcDbUseTemporaryConn: FALSE
olcDbACLBind: bindmethod=simple
binddn="uid=syncrepl,ou=sysaccounts,o=example" credentials="secret"
keepalive=10:30:60 network-timeout=0 timeout=0
olcDbIDAssertBind: mode=self bindmethod=simple
binddn="uid=syncrepl,ou=sysaccounts,o=example" credentials="secret"
authz=proxyauthz keepalive=10:30:60 network-timeout=0 timeout=0
I also configure authzProxy on master and slave :
dn: cn=config
[...]
olcAuthzPolicy: to
dn: olcDatabase={1}mdb,cn=config
[...]
olcAccess: {0}to dn.subtree="cn=subschema" by * read
olcAccess: {1}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
olcAccess: {2}to attrs=authzTo by self read
olcAccess: {3}to attrs=authzFrom by * read
[...]
olcUpdateRef: ldaps://ldap-master
dn: uid=syncrepl,ou=sysaccounts,o=example
[...]
authzTo: {0}dn.regex:^uid=.*,o=example$
authzTo: {1}dn.regex:^mail=.*,o=example$
Do you see something I'm doing wrong ?
Many thanks !
Le 24/04/2023 à 23:48, Quanah Gibson-Mount a écrit :
--On Saturday, April 22, 2023 6:07 PM +0200 Benjamin Renard
<[email protected]> wrote:
you failed to provide any OpenLDAP version information.
You'r right, I'm using slapd 2.4.57+dfsg-3+deb11u1 (on Debian stable).
Hi,
As a side note, OpenLDAP 2.4 series is historic and no longer
supported. I believe Debian has 2.5 available in backports for stable?
Or there are builds for currently supported release series available
from Symas or the LTB project:
<https://repo.symas.com/>
<https://ltb-project.org/download.html>
with that out of the way....
If you read the admin guide
(<https://www.openldap.org/doc/admin25/overlays.html#Chaining>), it is
explicitly stated that the chain configuration exists before any
database definitions (i.e., in the frontend). Here's what my cn=config
looks like for chain and back-ldap sitting on top of it with OpenLDAP
2.6. Note that I populate both olcDbACLBind and olcDbIDAssertBind:
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainCacheURI: FALSE
olcChainMaxReferralDepth: 1
olcChainReturnError: TRUE
dn:
olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: ldaps://<provider>:<port>
olcDbACLBind: bindmethod=...
olcDbIDAssertBind: mode=self ...
olcDbRebindAsUser: TRUE
olcDbChaseReferrals: TRUE
olcDbProxyWhoAmI: FALSE
olcDbProtocolVersion: 3
olcDbSingleConn: FALSE
olcDbCancel: abandon
olcDbUseTemporaryConn: FALSE
olcDbConnectionPoolMax: 8
olcDbSessionTrackingRequest: TRUE
olcDbNoRefs: FALSE
olcDbNoUndefFilter: FALSE
Hope that helps!
Regards,
Quanah
--
Benjamin Renard - Easter-eggs
44-46 rue de l'Ouest - 75014 Paris - France - Métro Gaité
Phone: +33 (0) 1 43 35 00 37 - mailto:[email protected]
