Hello,
I'm doing a OpenLDAP test with a master/slave replication configuration
including ppolicy overlay. I would like to enable password change from the
slave replica with chain overlay, in order to validate the ppolicy
olcPPolicyForwardUpdates attribute to TRUE. I'm using LDAPS from slave to
master with SASL External authentication with client certificate. The client
certificate correspond to a user DN entry with "manage" rights on the master
server (the same used for the replication). This user DN has authzTo attribute
in order to match the correct PROXYAUTHZ request from its dn to user DN.
All of this configuration works on replica when i do first a failed
authentication (err=49) on replica. The pwdFailureTime value is updated on the
DN entry from replica to slave normally. I'm also able to do after some self
entry update on some attribute such as password or others from replica to
master.
But the weird behavior is that i need to run first an failed authentication,
otherwise if i try to change attribute on the slave server, it respond an
err=80 "Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?". The
only way to retrieve correct behavior is to restart slapd, and redo one failed
authentication first. It seems that the chain overlay do not connect the master
server at startup
Do you have any ideas why i have this behavior ?
I'm using a 2.4.49 build of openldap, and inside logs on master server i see
that the slave use the same connection.
Here is the LDIF change and configuration on my replica :
dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcChainConfig
olcOverlay: {0}chain
olcChainReturnError: TRUE
dn: olcDatabase={0}ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config
changetype: add
objectClass: olcLDAPConfig
objectClass: olcChainDatabase
olcDatabase: {0}ldap
olcDbURI: ldaps://valid7-lab-ldap1.tld
olcDbIDAssertBind: bindmethod=sasl saslmech=external starttls=no
tls_cert="/usr/local/openldap/etc/openldap-valid7/tls/db1_rid001_cert.pem"
tls_key="/usr/local/openldap/etc/openldap-valid7/tls/db1_rid001_key.pem"
tls_cacert="/usr/local/openldap/etc/openldap-valid7/tls/cacert.pem"
tls_reqcert=demand tls_crlcheck=none mode=self
olcDbRebindAsUser: TRUE
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcUpdateRef
olcUpdateRef: ldaps://valid7-lab-ldap1.tld
-
dn: olcOverlay={1}ppolicy,olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcPPolicyForwardUpdates
olcPPolicyForwardUpdates: TRUE
-
Here is LDIF change on my master :
dn: cn=config
changetype: modify
replace: olcAuthzPolicy
olcAuthzPolicy: to
-
Thanks in advance for your reply
--
Frederic Poisson
