[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: strong bind with back-ldap
Dieter Kluenter wrote:
> Hi,
> I have some problems understanding strong binds and proxy authc with
> back-ldap. It seems that back-ldap is not passing the bind credentials
> to the remote server, thus only an anonymous bind is enforced. On the
> other hand, a ldapwhoami results in success
ldapwhoami doesn't use idassert, it binds and performs whoami exop on
its own, eventually applying the proxyAuthz control if requested...
>
> ,----[ ldapwhoami on back-ldap ]
> | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004
> | SASL/DIGEST-MD5 authentication started
> | SASL username: dieter
> | SASL SSF: 128
> | SASL data security layer installed.
> | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de
> `----
>
> while a ldapsearch results in no success
>
> ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004
> -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
>
> ,----[ log with loglevel acl ]
> | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo
> | Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested
> | Slapd[7050]: => Acl_Mask: To All Values By "", (=0)
> | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De
> | Slapd[7050]: <= Check A_Dn_Pat: Users
> | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop)
> | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0
> | Slapd[7050]: => Access_Allowed: No More Rules
> `----
>
> the back-ldap configuration,
>
> ,----[ back-ldap slapd.conf ]
> | .....
> | modulepath /opt/openldap/libexec/openldap
> | moduleload back_meta.la
> | moduleload back_ldap.la
> | moduleload pcache.la
> | moduleload rwm.la
> | authz-regexp uid=(.*),cn=.*,cn=auth
> | ldap:///dc=dkluenter,dc=de??sub?uid=$1
> |
> | access to * by * read
> | database ldap
> | suffix dc=dkluenter,dc=de
> | rootdn cn=admin,dc=dkluenter,dc=de
> | uri ldap://localhost:389
> | acl-bind
> | bindmethod=sasl
> | saslmech=digest-md5
> | authcId=admanager
> | credentials=mailer
> | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
> | idassert-bind
> | bindmethod=sasl
> | saslmech=digest-md5
> | authzId=u:admanager
^^^ you should use authcId=admanager (or whatever identity you want to
use as the proxy identity) much like for acl-bind... With the above, as
far as I understand, you sort of try to bind anonymously and authz as
admanager, which is unlikely to succeed (but I think it's trapped
earlier by the proxy and nothing is actually sent to the remote server
with respect to identity assertion; then the failure at the server's side).
Hope this helps.
> | authz=native
> | credentials=mailer
> | proxy-whoami yes
> | overlay rwm
> | rwm-rewriteEngine on
> | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
> | overlay pcache
> | proxycache bdb 10000 22 50 3600
> | proxycachequeries 10000
> | proxyattrset 0 mail telephonenumber
> | proxyattrset 1 mobile homephone
> | proxytemplate (sn=) 0 3600
> | proxytemplate (cn=) 1 3600
> | directory /opt/openldap/var/cache
> | cachesize 1000
> | dbconfig set_cachesize 0 1048576 0
> | index objectClass,queryid eq
> | index telephonenumber pres,eq
> | index cn,sn,mail pres,eq,sub
> | #
> | database monitor
> `----
>
> the relevant access rules on the remote server
>
> ,----[ slapd.conf access rules ]
> | access to dn.subtree="ou=adressbuch,o=avci,c=de"
> | by dn.exact="cn=adManager,o=avci,c=de" write
> | by users read
> `----
>
> Not to mention that the same search operation on the remote server is
> successful
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------