I now took the example configuration and changed it to my settings:
--------------------- TLSCertificateFile /opt/symas/etc/openldap/example-net-cert.pem TLSCertificateKeyFile /opt/symas/etc/openldap/example-net-key.pem TLSCACertificateFile /opt/symas/etc/openldap/cacert.pem pidfile /var/symas/run/slapd.pid argsfile /var/symas/run/slapd.args loglevel 256 modulepath /opt/symas/lib/openldap moduleload lloadd.la backend lload listen "ldap://:1389 ldaps://:1636" feature proxyauthz TLSShareSlapdCTX true bindconf bindmethod=simple network-timeout=5 tls_cacert="/opt/symas/etc/openldap/cacert.pem" tls_cert="/opt/symas/etc/openldap/example-net-cert.pem" tls_key="/opt/symas//etc/openldap/example-net-key.pem" binddn=uid=lloadd,ou=users,dc=example,dc=net credentials=geheim tier roundrobin backend-server uri=ldaps://ldap01.example.net starttls=critical retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 backend-server uri=ldaps://ldap02.example.net starttls=critical retry=5000 max-pending-ops=50 conn-max-pending=10 numconns=10 bindconns=5 database monitor ---------------------The bind-user exists in the database of the backend-server. If i start the loadbalancer I can see that the connection are established.
-------ldap01-----------Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 fd=46 ACCEPT from IP=192.168.56.40:38674 (IP=0.0.0.0:636) Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 fd=46 TLS established tls_ssf=256 ssf=256 tls_proto=TLSv1.3 tls_cipher=TLS_AES_256_GCM_SHA384 Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" method=128 Dez 14 21:07:12 ldap01 slapd[550]: conn=1380 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256
------------------------ I see the same massages on ldap02, so that's ok The I do a search from a different machine: -------------root@ldap03:~# ldapsearch -x -D uid=repl-user,ou=users,dc=example,dc=net -w geheim -H ldaps://loadbalancer.example.net:1636 -LLL
Proxied Authorization Denied (123) Additional information: not authorized to assume identity ------------ The uid=repl-user has read permission to all objects and attributes. On ldap01 I see: ---------ldap01-------------Dez 14 21:09:13 ldap01 slapd[550]: conn=1371 op=0 BIND dn="uid=repl-user,ou=users,dc=example,dc=net" method=128 Dez 14 21:09:13 ldap01 slapd[550]: conn=1371 op=0 BIND dn="uid=repl-user,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Dez 14 21:09:13 ldap01 slapd[550]: conn=1371 op=0 RESULT tag=97 err=0 qtime=0.000033 etime=0.015255 text=
----------------------------- on ldap02 --------ldap02----------Dez 14 21:09:13 ldap02 slapd[300]: conn=1306 op=1 SEARCH RESULT tag=101 err=123 qtime=0.000044 etime=0.000235 nentries=0 text=not authorized to assume identity Dez 14 21:09:13 ldap02 slapd[300]: conn=1306 op=1 do_search: get_ctrls failed
------------------------Why do I get different log-entries on the backend-server? And what did I forgot?
When I do a ldapsearch with uid=lloadd I get: -------------------root@ldap03:~# ldapsearch -x -D uid=lloadd,ou=users,dc=example,dc=net -w geheim -H ldaps://loadbalancer.example.net:1636 -LLL
dn: dc=example,dc=net objectClass: domain objectClass: dcObject dc: example ------------------- That's the only object the user has permissions to read. log from ldap01 --------------------Dez 14 21:14:04 ldap01 slapd[550]: conn=1381 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" method=128 Dez 14 21:14:04 ldap01 slapd[550]: conn=1381 op=0 BIND dn="uid=lloadd,ou=users,dc=example,dc=net" mech=SIMPLE bind_ssf=0 ssf=256 Dez 14 21:14:04 ldap01 slapd[550]: conn=1381 op=0 RESULT tag=97 err=0 qtime=0.000021 etime=0.008984 text=
-------------------- and log from ldap02 --------------------Dez 14 21:14:04 ldap02 slapd[300]: conn=1308 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(objectClass=*)" Dez 14 21:14:04 ldap02 slapd[300]: conn=1308 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000022 etime=0.002048 nentries=1 text=
--------------------That's also ok, I think . The final version should be that the binduser uid=lloadd will not see anything.
So what's the point I'm missing to get proxyauthz work correctly?
smime.p7s
Description: S/MIME Cryptographic Signature