[Date Prev][Date Next] [Chronological] [Thread] [Top]

strong bind with back-ldap

To: openldap-software@openldap.org
Subject: strong bind with back-ldap
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Tue, 21 Aug 2007 13:24:59 +0200
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.5 (chestnut, linux)

Hi,
I have some problems understanding strong binds and proxy authc with
back-ldap. It seems that back-ldap is not passing the bind credentials
to the remote server, thus only an anonymous bind is enforced. On the
other hand, a ldapwhoami results in success

,----[ ldapwhoami on back-ldap ]
| ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004
| SASL/DIGEST-MD5 authentication started
| SASL username: dieter
| SASL SSF: 128
| SASL data security layer installed.
| dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de
`----

while a ldapsearch results in no success

ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004
   -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber

,----[ log with loglevel acl ]
| Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo
|       Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested
| Slapd[7050]: => Acl_Mask: To All Values By "", (=0) 
| Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De
| Slapd[7050]: <= Check A_Dn_Pat: Users
| Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop)
| Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0
| Slapd[7050]: => Access_Allowed: No More Rules
`----

the back-ldap configuration,

,----[ back-ldap slapd.conf ]
| .....
| modulepath /opt/openldap/libexec/openldap
| moduleload      back_meta.la
| moduleload      back_ldap.la
| moduleload      pcache.la
| moduleload      rwm.la
| authz-regexp uid=(.*),cn=.*,cn=auth
|              ldap:///dc=dkluenter,dc=de??sub?uid=$1
| 
| access to * by * read
| database        ldap
| suffix          dc=dkluenter,dc=de
| rootdn          cn=admin,dc=dkluenter,dc=de
| uri             ldap://localhost:389
| acl-bind
|         bindmethod=sasl
|         saslmech=digest-md5
|         authcId=admanager
|         credentials=mailer
| #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
| idassert-bind
|         bindmethod=sasl
|         saslmech=digest-md5
|         authzId=u:admanager
|          authz=native
|         credentials=mailer
| proxy-whoami yes
| overlay rwm
| rwm-rewriteEngine on
| rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
| overlay pcache
| proxycache bdb 10000 22 50 3600
| proxycachequeries 10000
| proxyattrset 0 mail telephonenumber
| proxyattrset 1 mobile homephone
| proxytemplate (sn=) 0 3600
| proxytemplate (cn=) 1 3600
| directory       /opt/openldap/var/cache
| cachesize       1000
| dbconfig set_cachesize 0 1048576 0
| index           objectClass,queryid eq
| index           telephonenumber pres,eq
| index           cn,sn,mail pres,eq,sub
| #
| database        monitor
`----

the relevant access rules on the remote server

,----[ slapd.conf access rules ]
| access to dn.subtree="ou=adressbuch,o=avci,c=de"
|        by dn.exact="cn=adManager,o=avci,c=de" write
|        by users read
`----

Not to mention that the same search operation on the remote server is
successful 

-Dieter
                                                    

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

Follow-Ups:
- Re: strong bind with back-ldap
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: High availability
Next by Date: Re: strong bind with back-ldap
Index(es):
- Chronological
- Thread