[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: (ITS#7807) rebind-as-user in slapd-meta not running
--_b67832eb-f95f-44fc-96d8-4e1d626f474b_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
First of all thank you for your quick answer.
=20
Before I posted the question I've read the man pages several times trying t=
o understand how slapd-meta runs. I don't speak english very well (as you c=
an see) so it's probably that i've don't understand it completly.
=20
As I've tried to explain in my question=2C I used idassert-bind before and =
it runs ok=2C but I don't understand why I've to use an administrative acco=
unt to connect the proxy with the targets if I only want to passthrough the=
credentials of the user that was authenticated on the proxy. So I tried to=
use rebind-as-user thinking it was the solution but as you say this is for=
another use.
=20
Only for confirm what I'm doing. Is this the correct directive for what I'm=
trying to do?
idassert-bind mode=3Dself bindmethod=3Dsimple binddn=3D"cn=3Dadminuser=2Cou=
=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom" credentials=3D"password of admin user"
=20
Regards
=20
> Date: Fri=2C 28 Feb 2014 21:23:52 +0100
> From: pierangelo.masarati@polimi.it
> To: theedgeu2@live.com
> CC: openldap-its@openldap.org
> Subject: Re: (ITS#7807) rebind-as-user in slapd-meta not running
>=20
> On 02/28/2014 11:00 AM=2C theedgeu2@live.com wrote:
> > Full_Name: Angel Martinez
> > Version: 2.4.39
> > OS: Red Hat Linux 6.4
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (217.71.18.36)
> >
> >
> > I'm trying to configure a LDAP proxy with slapd-meta.
> >
> > I have several suffixs over several instances that shares the same user
> > accounts. It's posible that one user had access to several targets.
> >
> > The targets are:
> >
> > * Users: ou=3Dusers=2C dc=3Dtest=2C dc=3Dcom (here resides all accounts=
)
> >
> > * Target1: ou=3Dtarget1=2C dc=3Dtest=2C dc=3Dcom
> >
> > * Target2: ou=3Dtarget2=2C dc=3Dtest=2C dc=3Dcom
> >
> > These 3 suffix are on 3 differents instances.
> >
> > The instances where target1 and target2 are also have another suffix: o=
u=3Dusers=2C
> > dc=3Dtest=2C dc=3Dcom. This suffix is replicated from the first instanc=
e (Users)
> >
> > Normally=2C the users connect throught the proxy=2C but sometimes will =
connect
> > directly to the others instances.
> >
> > Basically this is the slapd.conf of the proxy:
> >
> > database meta
> > chase-referrals yes
> > rebind-as-user yes
> >
> > suffix "ou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom"
> > uri "ldap://192.168.1.34:3891/ou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom"
> >
> > suffix "ou=3Dtarget1=2Cdc=3Dtest=2Cdc=3Dcom"
> > uri "ldap://192.168.1.34:3892/ou=3Dtarget1=2Cdc=3Dtest=2Cdc=3Dcom"
> >
> > suffix "ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom"
> > uri "ldap://192.168.1.34:3893/ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom"
> >
> > When a user connects to the proxy with cn=3Duser1=2Cou=3Dusers=2Cdc=3Dt=
est=2Cdc=3Dcom=2C the
> > user is validated against the first target (ou=3Dusers) and can search =
over this
> > suffix=2C but if this user try to search something over other target (f=
or example
> > ou=3Dtarget1) the proxy does not use the credentials of the user and do=
an
> > anonymous bind to target1=2C so the search doesn't run.
> >
> > I thought that rebind-as-user resolve this but doesn't run.
> >
> > I've tried using idassert-bind mode=3Dself bindmethod=3Dsimple
> > binddn=3D"cn=3Dadminuser=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom" credentia=
ls=3D"password" and runs
> > ok=2C but I prefer not to use an administrative account to connect the =
proxy with
> > the targets.
> >
> > Is there something I'm missing?
>=20
> Yes=2C you did not read slapd-meta(5) man page. rebind-as-user is used i=
n=20
> a totally different context. What you need is idassert-bind.
>=20
>=20
> Please direct further conversation to <openldap-technical@openldap.org>.=
=20
> This ITS will be closed.
>=20
> p.
>=20
>=20
> --=20
> Pierangelo Masarati
> Associate Professor
> Dipartimento di Scienze e Tecnologie Aerospaziali
> Politecnico di Milano
=
--_b67832eb-f95f-44fc-96d8-4e1d626f474b_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'><br>First of all thank you for y=
our quick answer.<BR> =3B<BR>Before I posted the question I've read the=
man pages several times trying to understand how slapd-meta runs. I don't =
speak english very well (as you can see) so it's probably that i've don't u=
nderstand it completly.<BR> =3B<BR>As I've tried to =3Bexplain in m=
y question=2C I used idassert-bind before and it runs ok=2C but I don't und=
erstand why I've to use an administrative account to connect the proxy with=
the targets if I only want to passthrough the credentials of the user that=
was authenticated on the proxy. So I tried to use rebind-as-user thinking =
it was the solution but as you say this is for another use.<BR> =3B<BR>=
Only for confirm what I'm doing. Is this the correct directive for what I'm=
trying to do?<BR>idassert-bind mode=3Dself bindmethod=3Dsimple binddn=3D"c=
n=3Dadminuser=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom" credentials=3D"password =
of admin user"<BR> =3B<BR>Regards<BR> =3B<BR><div>>=3B Date: Fri=
=2C 28 Feb 2014 21:23:52 +0100<br>>=3B From: pierangelo.masarati@polimi.i=
t<br>>=3B To: theedgeu2@live.com<br>>=3B CC: openldap-its@openldap.org<=
br>>=3B Subject: Re: (ITS#7807) rebind-as-user in slapd-meta not running<=
br>>=3B <br>>=3B On 02/28/2014 11:00 AM=2C theedgeu2@live.com wrote:<br=
>>=3B >=3B Full_Name: Angel Martinez<br>>=3B >=3B Version: 2.4.39<b=
r>>=3B >=3B OS: Red Hat Linux 6.4<br>>=3B >=3B URL: ftp://ftp.openl=
dap.org/incoming/<br>>=3B >=3B Submission from: (NULL) (217.71.18.36)<b=
r>>=3B >=3B<br>>=3B >=3B<br>>=3B >=3B I'm trying to configure a=
LDAP proxy with slapd-meta.<br>>=3B >=3B<br>>=3B >=3B I have sever=
al suffixs over several instances that shares the same user<br>>=3B >=
=3B accounts. It's posible that one user had access to several targets.<br>=
>=3B >=3B<br>>=3B >=3B The targets are:<br>>=3B >=3B<br>>=3B =
>=3B * Users: ou=3Dusers=2C dc=3Dtest=2C dc=3Dcom (here resides all accou=
nts)<br>>=3B >=3B<br>>=3B >=3B * Target1: ou=3Dtarget1=2C dc=3Dtest=
=2C dc=3Dcom<br>>=3B >=3B<br>>=3B >=3B * Target2: ou=3Dtarget2=2C d=
c=3Dtest=2C dc=3Dcom<br>>=3B >=3B<br>>=3B >=3B These 3 suffix are o=
n 3 differents instances.<br>>=3B >=3B<br>>=3B >=3B The instances w=
here target1 and target2 are also have another suffix: ou=3Dusers=2C<br>>=
=3B >=3B dc=3Dtest=2C dc=3Dcom. This suffix is replicated from the first =
instance (Users)<br>>=3B >=3B<br>>=3B >=3B Normally=2C the users co=
nnect throught the proxy=2C but sometimes will connect<br>>=3B >=3B dir=
ectly to the others instances.<br>>=3B >=3B<br>>=3B >=3B Basically =
this is the slapd.conf of the proxy:<br>>=3B >=3B<br>>=3B >=3B data=
base meta<br>>=3B >=3B chase-referrals yes<br>>=3B >=3B rebind-as-u=
ser yes<br>>=3B >=3B<br>>=3B >=3B suffix "ou=3Dusers=2Cdc=3Dtest=
=2Cdc=3Dcom"<br>>=3B >=3B uri "ldap://192.168.1.34:3891/ou=3Dusers=
=2Cdc=3Dtest=2Cdc=3Dcom"<br>>=3B >=3B<br>>=3B >=3B suffix "ou=3Dt=
arget1=2Cdc=3Dtest=2Cdc=3Dcom"<br>>=3B >=3B uri "ldap://192.168.1.=
34:3892/ou=3Dtarget1=2Cdc=3Dtest=2Cdc=3Dcom"<br>>=3B >=3B<br>>=3B >=
=3B suffix "ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom"<br>>=3B >=3B uri =
"ldap://192.168.1.34:3893/ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom"<br>>=3B =
>=3B<br>>=3B >=3B When a user connects to the proxy with cn=3Duser1=
=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom=2C the<br>>=3B >=3B user is valida=
ted against the first target (ou=3Dusers) and can search over this<br>>=
=3B >=3B suffix=2C but if this user try to search something over other ta=
rget (for example<br>>=3B >=3B ou=3Dtarget1) the proxy does not use the=
credentials of the user and do an<br>>=3B >=3B anonymous bind to targe=
t1=2C so the search doesn't run.<br>>=3B >=3B<br>>=3B >=3B I though=
t that rebind-as-user resolve this but doesn't run.<br>>=3B >=3B<br>>=
=3B >=3B I've tried using idassert-bind mode=3Dself bindmethod=3Dsimple<b=
r>>=3B >=3B binddn=3D"cn=3Dadminuser=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dco=
m" credentials=3D"password" and runs<br>>=3B >=3B ok=2C but I prefer no=
t to use an administrative account to connect the proxy with<br>>=3B >=
=3B the targets.<br>>=3B >=3B<br>>=3B >=3B Is there something I'm m=
issing?<br>>=3B <br>>=3B Yes=2C you did not read slapd-meta(5) man page=
. rebind-as-user is used in <br>>=3B a totally different context. What =
you need is idassert-bind.<br>>=3B <br>>=3B <br>>=3B Please direct fu=
rther conversation to <=3Bopenldap-technical@openldap.org>=3B. <br>>=
=3B This ITS will be closed.<br>>=3B <br>>=3B p.<br>>=3B <br>>=3B=
<br>>=3B -- <br>>=3B Pierangelo Masarati<br>>=3B Associate Professor=
<br>>=3B Dipartimento di Scienze e Tecnologie Aerospaziali<br>>=3B Poli=
tecnico di Milano<br></div> </div></body>
</html>=
--_b67832eb-f95f-44fc-96d8-4e1d626f474b_--