[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a dumb proxy





--On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

Quanah Gibson-Mount wrote:

Sure.  Which configuration do you want me to try it with? ;)  Here is -d
-1 with this config:

idassert-bind   bindmethod=sasl
               saslmech=gssapi
               realm=stanford.edu
               authcID=service/mailrouter@stanford.edu

authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu

First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?

What I want for it to do is bind using the Krb5 ticket cache specified in slapd's environment, and use whatever identity gets *automatically* negotiated on the remote servers side. All this authcID and authZID stuff is really unnecessary, since the remote server handles it anyway.


What "service/mailrouter@stanford.edu" gets mapped to on the remote server IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the authz-regexp rule on the remote server.

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html