[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-ldap & GSSAPI

To: Howard Chu <hyc@highlandsun.com>, openldap-software@OpenLDAP.org
Subject: RE: back-ldap & GSSAPI
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Mon, 15 Sep 2003 18:30:14 -0700
Content-disposition: inline
In-reply-to: <002101c37be8$99daac60$8601a8c0@CELLO>
References: <002101c37be8$99daac60$8601a8c0@CELLO>

--On Monday, September 15, 2003 5:22 PM -0700 Howard Chu <hyc@highlandsun.com> wrote:

-----Original Message-----
From: owner-openldap-software@OpenLDAP.org
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount

Hello,

in reading the back-ldap man page, I don't see that it is
possible to proxy
via GSSAPI.  In the case I'm looking at, we'd have a machine
running slapd,
that would have its own authcId.  It would use that authcId
when proxying
requests to get the information it wants from our openldap
servers.  Am I
correct thinking this can't be done with back-ldap as it
currently stands?


Not entirely sure of what you mean by proxying, since it has two different
meanings that may be relevant here. But I'm fairly sure the answer for
2.1 is it can't be done.

back-ldap forwards requests using the same ID/credentials that it
received. This only works for simple binds. It could be made to work for
other mechanisms by way of the Proxy Authorization control. Perhaps this
would be a good feature to add in
a future release. Certainly I would prefer to see it behave this way; it
would make connection management much much simpler.


Howard,

I'm not quite sure that would work for me either, in this case, but it might. The systems are currently configured this way:

System A is the one the request originates from. It is on a VPN that can't see outside. System B is on the VPN and the outside network. It would run back-ldap. System C is our ldap servers setup.

A contacts B and authenticates via simple authentication.
B proxies the request using its authcId via SASL/GSSAPI to C.
C responds, everything flows back to A.

It may be possible to run Kerberos on A, and then just proxy its credentials through, but I'll have to get further information from the people running Systems A & B to know for sure. If so, your idea would definitely work.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

References:
- RE: back-ldap & GSSAPI
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: ntlm authentication for LDAP
Next by Date: Regarding Octet String JDBC LDAP Bridge
Index(es):
- Chronological
- Thread