[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: [Rivendell] idassert-bind not working as expected?
Federico Grau wrote:
> Hello Pierangelo,
>
> First, thank you for the response. I will re-test with the current stable
> release (2.3.32).
After reading the CHANGES in re23, you should rather use 2.3.35.
> FYI, we chose the slapd-meta backend to allow for redundancy and work with
> multiple remote servers (I had read in the man page "the ldap backend is
> intended to proxy operations directed to a single server").
If by "redundancy" you mean that in case of failure of a server another
one will be contacted, then it has nothing to do with the difference
between back-meta and back-ldap. The way both handle lists of multiple
servers in case of failure is identical. Back-meta assumes that the
servers related to each "uri" statement contain different data. So
database ldap
uri "ldap://ldap.example.com ldap://backup.example.com"
is redundancy (sort of);
database meta
uri "ldap://ldap.example.com/<suffix> ldap://backup.example.com"
is exactly the same level of redundancy (sort of);
database meta
uri "ldap://ldap.example.com/<suffix>"
uri "ldap://backup.example.com/<suffix>"
is a configuration error...
> Would you have a sample configuration file for the working situtation? I
> never see a "simple authentication" bind go out from the OpenLDAP meta server,
> so something is definitely wrong on that end (either configuration or bug).
I tested:
database ldap
suffix "ou=windows,dc=rfa,dc=org"
uri "ldap://:9011/"
overlay rwm
rwm-suffixmassage "ou=windows,dc=rfa,dc=org"
"ou=People,dc=example,dc=com"
idassert-authzFrom "dn:*"
idassert-bind bindmethod=simple
binddn="cn=Manager,dc=example,dc=com"
credentials="secret"
mode=none
database meta
suffix "ou=windows,dc=rfa,dc=org"
uri "ldap://:9011/ou=windows,dc=rfa,dc=org"
suffixmassage "ou=windows,dc=rfa,dc=org" "ou=People,dc=example,dc=com"
idassert-authzFrom "dn:*"
idassert-bind bindmethod=simple
binddn="cn=Manager,dc=example,dc=com"
credentials="secret"
mode=none
where, of course, in both cases ldap://:9011 was pointing to another
instance of slapd running on port 9011 as resulting from running
test003. To make sure authentication was progressing, I modified the
configuration of that slapd with a simple
access to * by * auth
so that the only way data could be read was after successfully binding
as the rootdn of the remote server, as configured in both idassert-bind.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------