Re: Using back-ldap as a dumb proxy

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati 
<ando@sys-net.it> wrote:

> Quanah Gibson-Mount wrote:
>
> > Sure.  Which configuration do you want me to try it with? ;)  Here is -d
> > -1 with this config:
> >
> > idassert-bind   bindmethod=sasl
> >                saslmech=gssapi
> >                realm=stanford.edu
> >                authcID=service/mailrouter@stanford.edu
> >
> > authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
>
> First of all, what's missing here is the "mode" parameter; what do you
> want the proxy to do?  bind as "service/mailrouter@stanford.edu", SASL
> authorize as
> "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and
> then?  proxy authorize as the incoming request?  just keep the
> "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?

What I want for it to do is bind using the Krb5 ticket cache specified in 
slapd's environment, and use whatever identity gets *automatically* 
negotiated on the remote servers side.  All this authcID and authZID stuff 
is really unnecessary, since the remote server handles it anyway.

What "service/mailrouter@stanford.edu" gets mapped to on the remote server 
IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the 
authz-regexp rule on the remote server.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html