[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-{ldap,meta} && authentication



I'd like to have a local slapd on my mailserver (QmailLDAP/Controls)
which is readable only through a socket (ldapi) to spead things up
for Qmail (at least I HOPE that it's going to be faster :).

I tried to have a COPY of the database (which is replicated from the
master). This work exeptionally well (even though it's not THAT much
faster - barely noticable).

But I don't want to risk inconsistencies, so I was thinking CACHING
PROXY instead. Which, if I read the manuals correctly, would be
provided by 'meta', not 'ldap'.... ?

I can get results from the proxy, but I don't get ALL of it when
using my (Kerberos V) ticket (using SASL). This works when the local
slapd is a COPY (I use almost the exact same config files for the
to attempts)...

What don't work is the sasl-regexp... From 'ldapwhoami', I get

        dn:uid=turbo,cn=swe.net,cn=gssapi,cn=auth

and not the 'expected' (which I get on the 'master').

        dn:uid=turbo,ou=people,o=swe.net ab,c=se

This is part of the slapd.conf on the slave:

----- s n i p -----
database                ldap
default-target          none
suffix                  "c=SE"
uri                     "ldap://master/c=SE";
dncache-ttl             60
lastmod                 off
proxy-whoami
rebind-as-user
----- s n i p -----

On both the 'slave' and 'master', I have this sasl-regexp (in one
place to much!?):

----- s n i p -----
sasl-regexp
        uid=(.*),cn=(.*),cn=(.*),cn=auth
        ldap:///c=SE??sub?(krb5PrincipalName=$1@SWE.NET)
sasl-regexp
        email=(.*),cn=(.*),ou=(.*),o=(.*),c=(.*)
        ldap:///ou=$3,o=$4,c=$5??sub?(&(cn=$2)(|(mail=$1)(mailAlternateAddress=$1)))
----- s n i p -----

This works exactly as planed when slapd is using a 'bdb' backend, but
not 'ldap' (or 'meta' for that matter).

What am I missing? Note that I don't want _ANY_ rewriting
or anything. The 'meta' slapd should match exactly the master...

I'll be trying 'overlay' later to have the cache 'on file', but
currently that gives me errors, so I'll stick to one problem at
the time...


I've been trying to check the mail archives but that doesn't
show me ANYTHING that have to do with _authentication_, only
_searches_...