[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd-{ldap,meta} && authentication
> I'd like to have a local slapd on my mailserver (QmailLDAP/Controls)
> which is readable only through a socket (ldapi) to spead things up
> for Qmail (at least I HOPE that it's going to be faster :).
>
> I tried to have a COPY of the database (which is replicated from the
> master). This work exeptionally well (even though it's not THAT much
> faster - barely noticable).
>
> But I don't want to risk inconsistencies, so I was thinking CACHING
> PROXY instead. Which, if I read the manuals correctly, would be
> provided by 'meta', not 'ldap'.... ?
>
> I can get results from the proxy, but I don't get ALL of it when
> using my (Kerberos V) ticket (using SASL). This works when the local
> slapd is a COPY (I use almost the exact same config files for the
> to attempts)...
>
> What don't work is the sasl-regexp... From 'ldapwhoami', I get
>
> dn:uid=turbo,cn=swe.net,cn=gssapi,cn=auth
>
> and not the 'expected' (which I get on the 'master').
>
> dn:uid=turbo,ou=people,o=swe.net ab,c=se
>
> This is part of the slapd.conf on the slave:
>
> ----- s n i p -----
> database ldap
> default-target none
> suffix "c=SE"
> uri "ldap://master/c=SE"
> dncache-ttl 60
> lastmod off
> proxy-whoami
> rebind-as-user
> ----- s n i p -----
>
> On both the 'slave' and 'master', I have this sasl-regexp (in one
> place to much!?):
>
> ----- s n i p -----
> sasl-regexp
> uid=(.*),cn=(.*),cn=(.*),cn=auth
> ldap:///c=SE??sub?(krb5PrincipalName=$1@SWE.NET)
> sasl-regexp
> email=(.*),cn=(.*),ou=(.*),o=(.*),c=(.*)
> ldap:///ou=$3,o=$4,c=$5??sub?(&(cn=$2)(|(mail=$1)(mailAlternateAddress=$1)))
> ----- s n i p -----
>
> This works exactly as planed when slapd is using a 'bdb' backend, but
> not 'ldap' (or 'meta' for that matter).
>
> What am I missing? Note that I don't want _ANY_ rewriting
> or anything. The 'meta' slapd should match exactly the master...
>
> I'll be trying 'overlay' later to have the cache 'on file', but
> currently that gives me errors, so I'll stick to one problem at
> the time...
>
>
> I've been trying to check the mail archives but that doesn't
> show me ANYTHING that have to do with _authentication_, only
> _searches_...
>
Exactly. You cannot perform SASL bind with back-ldap. You're supposed to
use simple auth. If you use HEAD code, you can have the proxy bind with
SASL to the remote server, and eventually proxyAuthz your local identity
(see idassert-* in HEAD's slapd-ldap(5)). Note that proxying SASL auth
might be impossible, and at least mechanism dependent (as far as I
understand of SASL).
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497