[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: chain + rebind-as-user
On Sun, 2005-10-02 at 04:02 +0400, Mitya wrote:
> Hi,
>
> I didn't manage to make it work.
>
> database ldbm
> directory /var/lib/ldap/foo
> suffix ou=Foo
> rootdn cn=Manager,ou=Foo
> overlay chain
> chain-rebind-as-user yes
>
> That "foo" database contains referrals pointing to the server that
> shares authentication info with this one. When I try authenticated
> search, referral chasing takes place, but slapd tries to chase them
> anonymously, without proper rebinding.
>
> Is there any obvious way to overcome this?
> Thank you!
I think that's not the way it works. In fact, the proxy can rebind-as-
user if the proxy itself authenticated the user from scratch by
performing a simple bind and saving the DN and the credentials, but in
this case the "chain" overlay didn't have any chance to save the
credentials.
If you're using 2.3 you can use identity assertion to instruct the
"chain" overlay to bind with some well-known identity and assert that of
the user by means of the proxyAuthz control. Something like
database ldbm
directory /var/lib/ldap/foo
suffix ou=Foo
rootdn cn=Manager,ou=Foo
overlay chain
chain-idassert-bind
bindmethod=simple
binddn="cn=Proxy"
credentials="secret"
mode=self
where mode=self instructs the "chain" overlay to proxyAuthz with the
identity of the original operation. The remote server must understand
proxyAuthz, and "cn=Proxy" must be allowed to authz as the users you
intend to authorize. Note that the identity you specify must be known
to all the URIs that may be returned as referrals, since there is no
way to specify an identity based on the URI. This would be useful, and
might be implemented in view of the strengthening of the "chain"
overlay I'm planning.
Since you're using back-ldbm, I suspect you're not ready for 2.3 yet...
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497