[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd-{ldap,meta} && authentication
- To: openldap-software@OpenLDAP.org
- Subject: slapd-{ldap,meta} && authentication
- From: Turbo Fredriksson <turbo@bayour.com>
- Date: 22 Jul 2004 16:46:42 +0200
- Organization: LDAP/Kerberos expert wannabe
- User-agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.7
I'd like to have a local slapd on my mailserver (QmailLDAP/Controls)
which is readable only through a socket (ldapi) to spead things up
for Qmail (at least I HOPE that it's going to be faster :).
I tried to have a COPY of the database (which is replicated from the
master). This work exeptionally well (even though it's not THAT much
faster - barely noticable).
But I don't want to risk inconsistencies, so I was thinking CACHING
PROXY instead. Which, if I read the manuals correctly, would be
provided by 'meta', not 'ldap'.... ?
I can get results from the proxy, but I don't get ALL of it when
using my (Kerberos V) ticket (using SASL). This works when the local
slapd is a COPY (I use almost the exact same config files for the
to attempts)...
What don't work is the sasl-regexp... From 'ldapwhoami', I get
dn:uid=turbo,cn=swe.net,cn=gssapi,cn=auth
and not the 'expected' (which I get on the 'master').
dn:uid=turbo,ou=people,o=swe.net ab,c=se
This is part of the slapd.conf on the slave:
----- s n i p -----
database ldap
default-target none
suffix "c=SE"
uri "ldap://master/c=SE";
dncache-ttl 60
lastmod off
proxy-whoami
rebind-as-user
----- s n i p -----
On both the 'slave' and 'master', I have this sasl-regexp (in one
place to much!?):
----- s n i p -----
sasl-regexp
uid=(.*),cn=(.*),cn=(.*),cn=auth
ldap:///c=SE??sub?(krb5PrincipalName=$1@SWE.NET)
sasl-regexp
email=(.*),cn=(.*),ou=(.*),o=(.*),c=(.*)
ldap:///ou=$3,o=$4,c=$5??sub?(&(cn=$2)(|(mail=$1)(mailAlternateAddress=$1)))
----- s n i p -----
This works exactly as planed when slapd is using a 'bdb' backend, but
not 'ldap' (or 'meta' for that matter).
What am I missing? Note that I don't want _ANY_ rewriting
or anything. The 'meta' slapd should match exactly the master...
I'll be trying 'overlay' later to have the cache 'on file', but
currently that gives me errors, so I'll stick to one problem at
the time...
I've been trying to check the mail archives but that doesn't
show me ANYTHING that have to do with _authentication_, only
_searches_...