[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Using back-ldap as a dumb proxy
--On Wednesday, February 21, 2007 11:52 PM +0100 Pierangelo Masarati
<ando@sys-net.it> wrote:
Quanah Gibson-Mount wrote:
--On Wednesday, February 21, 2007 2:39 PM -0800 Quanah Gibson-Mount
<quanah@stanford.edu> wrote:
I'm trying to set up a very simply slapd that takes incoming requests
locally, and forwards them on to a remote server using SASL/GSSAPI to
get the information, so that a internal app that doesn't understand
SASL/GSSAPI can get the information it needs.
Never mind, I forgot to load the core schema. duh. :P
The proxy was a bit too dumb ;)
Heh.
The problem I'm having now, is I can't get it to perform SASL/GSSAPI auth
to the remote proxy.
If I have:
# /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file.
# $Id$
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/suacct.schema
# Global Options
modulepath /usr/lib/ldap
moduleload back_ldap.la
readonly on
access to *
by * read
# LDAP Proxy Options
database ldap
suffix "dc=stanford,dc=edu"
uri "ldap://ldap-test1.stanford.edu"
idassert-bind bindmethod=none
It correctly talks to the remote server with an anonymous bind. However,
if I change things around:
idassert-bind bindmethod=sasl
saslmech=gssapi
realm=stanford.edu
authcID=proxy
credentials=proxy
mode=self
I get:
ldapsearch -LLL -x -h localhost -b "dc=stanford,dc=edu" uid=quanah
Inappropriate authentication (48)
The KRB5CCNAME is set in slapd's environment, so it has access to the
ticket cache it needs to use to perform SASL/GSSAPI. It is not talking to
the remote server at all.
Is there something here I'm missing?
I've also tried:
idassert-bind bindmethod=sasl
saslmech=gssapi
realm=stanford.edu
authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
But then I get:
Authentication method not supported (7)
And again, it didn't talk to the remote server.
Thanks,
Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html