[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
strong bind with back-ldap
Hi,
I have some problems understanding strong binds and proxy authc with
back-ldap. It seems that back-ldap is not passing the bind credentials
to the remote server, thus only an anonymous bind is enforced. On the
other hand, a ldapwhoami results in success
,----[ ldapwhoami on back-ldap ]
| ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004
| SASL/DIGEST-MD5 authentication started
| SASL username: dieter
| SASL SSF: 128
| SASL data security layer installed.
| dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de
`----
while a ldapsearch results in no success
ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004
-b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
,----[ log with loglevel acl ]
| Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo
| Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested
| Slapd[7050]: => Acl_Mask: To All Values By "", (=0)
| Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De
| Slapd[7050]: <= Check A_Dn_Pat: Users
| Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop)
| Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0
| Slapd[7050]: => Access_Allowed: No More Rules
`----
the back-ldap configuration,
,----[ back-ldap slapd.conf ]
| .....
| modulepath /opt/openldap/libexec/openldap
| moduleload back_meta.la
| moduleload back_ldap.la
| moduleload pcache.la
| moduleload rwm.la
| authz-regexp uid=(.*),cn=.*,cn=auth
| ldap:///dc=dkluenter,dc=de??sub?uid=$1
|
| access to * by * read
| database ldap
| suffix dc=dkluenter,dc=de
| rootdn cn=admin,dc=dkluenter,dc=de
| uri ldap://localhost:389
| acl-bind
| bindmethod=sasl
| saslmech=digest-md5
| authcId=admanager
| credentials=mailer
| #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
| idassert-bind
| bindmethod=sasl
| saslmech=digest-md5
| authzId=u:admanager
| authz=native
| credentials=mailer
| proxy-whoami yes
| overlay rwm
| rwm-rewriteEngine on
| rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
| overlay pcache
| proxycache bdb 10000 22 50 3600
| proxycachequeries 10000
| proxyattrset 0 mail telephonenumber
| proxyattrset 1 mobile homephone
| proxytemplate (sn=) 0 3600
| proxytemplate (cn=) 1 3600
| directory /opt/openldap/var/cache
| cachesize 1000
| dbconfig set_cachesize 0 1048576 0
| index objectClass,queryid eq
| index telephonenumber pres,eq
| index cn,sn,mail pres,eq,sub
| #
| database monitor
`----
the relevant access rules on the remote server
,----[ slapd.conf access rules ]
| access to dn.subtree="ou=adressbuch,o=avci,c=de"
| by dn.exact="cn=adManager,o=avci,c=de" write
| by users read
`----
Not to mention that the same search operation on the remote server is
successful
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6