Simon Gao wrote: > That's great to know. Do you think following setup will work on a consumer? > > ========================================================= > overlay chain > chain-rebind-as-user FALSE > > chain-uri ldaps://provider/ > chain-rebind-as-user TRUE > chain-idassert-bind bindmethod=sasl > saslmech=GSSAPI > > binddn="uid=host/consumer1,cn=gssapi,cn=auth > mode="self" > ========================================================= > > I have set ACL on provider so that uid=host/consumer1 has correct > permissions to write all attributes. But it did not work. The error > says that host/consumer1 not allowed to assert identity. > > Do I need to make host/consumer1 an administrative identity on provider? > How? > > The issue I am trying to resolve is that I prefer not putting clear text > password in slapd.conf. SASL binding fits such need perfectly if I can > get it work with chain overlay.
It appears that authz is not allowed by the provider for that identity. You need to make sure that host/consumer1 has an authzTo rule that allows it to proxyAuthz, and you need to allow the appropriate authz-policy. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
