[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a dumb proxy





--On Wednesday, February 21, 2007 11:52 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

Quanah Gibson-Mount wrote:


--On Wednesday, February 21, 2007 2:39 PM -0800 Quanah Gibson-Mount
<quanah@stanford.edu> wrote:

I'm trying to set up a very simply slapd that takes incoming requests
locally, and forwards them on to a remote server using SASL/GSSAPI to
get the information, so that a internal app that doesn't understand
SASL/GSSAPI can get the information it needs.

Never mind, I forgot to load the core schema. duh. :P

The proxy was a bit too dumb ;)

Heh.

The problem I'm having now, is I can't get it to perform SASL/GSSAPI auth to the remote proxy.

If I have:

# /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file.
# $Id$
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/suacct.schema
# Global Options

modulepath       /usr/lib/ldap
moduleload       back_ldap.la

readonly on
access to *
       by * read

# LDAP Proxy Options


database ldap suffix "dc=stanford,dc=edu" uri "ldap://ldap-test1.stanford.edu"; idassert-bind bindmethod=none




It correctly talks to the remote server with an anonymous bind. However, if I change things around:


idassert-bind   bindmethod=sasl
               saslmech=gssapi
               realm=stanford.edu
               authcID=proxy
               credentials=proxy
               mode=self


I get:

ldapsearch -LLL -x -h localhost -b "dc=stanford,dc=edu" uid=quanah
Inappropriate authentication (48)



The KRB5CCNAME is set in slapd's environment, so it has access to the ticket cache it needs to use to perform SASL/GSSAPI. It is not talking to the remote server at all.

Is there something here I'm missing?

I've also tried:

idassert-bind   bindmethod=sasl
               saslmech=gssapi
               realm=stanford.edu
               authcID=service/mailrouter@stanford.edu

authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu


But then I get:

Authentication method not supported (7)


And again, it didn't talk to the remote server.


Thanks, Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html