chain-overlay question

[Markus Krause]

Hi list!

i have several consumer and one provider (lets call them ldapconX and  
ldapprov). syncrepl works fine, but i actually do not want any clients  
to contact the provider directly (and i have in addition some clients  
which would not understand referrals anyway), so reading through the  
admin guide and man pages i thought slapo-chain would be the solution!  
(correct me if i am wrong ;-))
But somehow a can not get it working...
the slapd.conf of the provider is untouched, the consumer have  
(simplified in some places; please tell me if you need it in more  
details):

----- /etc/openldap/slapd.conf
# consumer
include ...
acls ...
databse bdb
suffix ...
rootdn "cn=manager,o=test"
rootpw xxx
index ...
overlay smbk5pwd
syncrepl ...
updateref ldaps://ldapprov
overlay chain
chain-rebind-as-user    FALSE
chain-uri       "ldaps://ldapprov"
chain-rebind-as-user    TRUE
chain-idassert-bind     bindmethod="simple"
                        binddn="cn=manager,o=test"
                        credentials="secret"
                        mode="self"
---- end of slapd.conf

but when trying to change the password via ldappasswd i get:

  ldappasswd -x -h localhost <...>
   New password:
   Re-enter new password:
   Enter LDAP Password:
   Result: Referral (10)
   Referral: ldaps://ldapprov

i also tried to remove the line "updateref ...", but then i get:
  Result: Server is unwilling to perform (53)
  Additional info: shadow context; no update referral

i also read different postings and the man pages but maybe overlooked  
or did not understand something.

what am i am doing wrong? or do i missunderstand some conceptual basics?

thanks in advance for any hints!

regards
   markus


+-----------------------------------------------------------------+
| Markus Krause, Mogli-Soft                                       |
| Support for Mac OS X, Webmail/Horde, LDAP, RADIUS, MySQL        |
| by order of the                                                 |
|    Computing Center of the Max-Planck-Institute of Biochemistry |
+--------------------------------+--------------------------------+
| E-Mail: [EMAIL PROTECTED]  |  Tel.: 089 - 89 40 85 99       |
|         [EMAIL PROTECTED]  |  Fax.: 089 - 89 40 85 98       |
|  Skype: markus.krause          | iChat: [EMAIL PROTECTED]   |
+--------------------------------+--------------------------------+

----------------------------------------------------------------------
     This message was sent using https://webmail2.biochem.mpg.de
If you encounter any problems please report to [EMAIL PROTECTED]