[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strong bind with back-ldap



Dieter Kluenter wrote:
> Hi,
> I have some problems understanding strong binds and proxy authc with
> back-ldap. It seems that back-ldap is not passing the bind credentials
> to the remote server, thus only an anonymous bind is enforced. On the
> other hand, a ldapwhoami results in success

ldapwhoami doesn't use idassert, it binds and performs whoami exop on
its own, eventually applying the proxyAuthz control if requested...

> 
> ,----[ ldapwhoami on back-ldap ]
> | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004
> | SASL/DIGEST-MD5 authentication started
> | SASL username: dieter
> | SASL SSF: 128
> | SASL data security layer installed.
> | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de
> `----
> 
> while a ldapsearch results in no success
> 
> ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004
>    -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
> 
> ,----[ log with loglevel acl ]
> | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo
> |       Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested
> | Slapd[7050]: => Acl_Mask: To All Values By "", (=0) 
> | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De
> | Slapd[7050]: <= Check A_Dn_Pat: Users
> | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop)
> | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0
> | Slapd[7050]: => Access_Allowed: No More Rules
> `----
> 
> the back-ldap configuration,
> 
> ,----[ back-ldap slapd.conf ]
> | .....
> | modulepath /opt/openldap/libexec/openldap
> | moduleload      back_meta.la
> | moduleload      back_ldap.la
> | moduleload      pcache.la
> | moduleload      rwm.la
> | authz-regexp uid=(.*),cn=.*,cn=auth
> |              ldap:///dc=dkluenter,dc=de??sub?uid=$1
> | 
> | access to * by * read
> | database        ldap
> | suffix          dc=dkluenter,dc=de
> | rootdn          cn=admin,dc=dkluenter,dc=de
> | uri             ldap://localhost:389
> | acl-bind
> |         bindmethod=sasl
> |         saslmech=digest-md5
> |         authcId=admanager
> |         credentials=mailer
> | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
> | idassert-bind
> |         bindmethod=sasl
> |         saslmech=digest-md5
> |         authzId=u:admanager

^^^ you should use authcId=admanager (or whatever identity you want to
use as the proxy identity) much like for acl-bind...  With the above, as
far as I understand, you sort of try to bind anonymously and authz as
admanager, which is unlikely to succeed (but I think it's trapped
earlier by the proxy and nothing is actually sent to the remote server
with respect to identity assertion; then the failure at the server's side).

Hope this helps.

> |          authz=native
> |         credentials=mailer
> | proxy-whoami yes
> | overlay rwm
> | rwm-rewriteEngine on
> | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de"
> | overlay pcache
> | proxycache bdb 10000 22 50 3600
> | proxycachequeries 10000
> | proxyattrset 0 mail telephonenumber
> | proxyattrset 1 mobile homephone
> | proxytemplate (sn=) 0 3600
> | proxytemplate (cn=) 1 3600
> | directory       /opt/openldap/var/cache
> | cachesize       1000
> | dbconfig set_cachesize 0 1048576 0
> | index           objectClass,queryid eq
> | index           telephonenumber pres,eq
> | index           cn,sn,mail pres,eq,sub
> | #
> | database        monitor
> `----
> 
> the relevant access rules on the remote server
> 
> ,----[ slapd.conf access rules ]
> | access to dn.subtree="ou=adressbuch,o=avci,c=de"
> |        by dn.exact="cn=adManager,o=avci,c=de" write
> |        by users read
> `----
> 
> Not to mention that the same search operation on the remote server is
> successful 





Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------