[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: strong bind with back-ldap
Hello,
Pierangelo Masarati <ando@sys-net.it> writes:
> Dieter Kluenter wrote:
>> | uri ldap://localhost:389
>> | acl-bind
>> | bindmethod=sasl
>> | saslmech=digest-md5
>> | authcId=admanager
>> | credentials=mailer
>> | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
>> | idassert-bind
>> | bindmethod=sasl
>> | saslmech=digest-md5
>> | authzId=u:admanager
>
> ^^^ you should use authcId=admanager (or whatever identity you want to
> use as the proxy identity) much like for acl-bind... With the above, as
> far as I understand, you sort of try to bind anonymously and authz as
> admanager, which is unlikely to succeed (but I think it's trapped
> earlier by the proxy and nothing is actually sent to the remote server
> with respect to identity assertion; then the failure at the server's side).
>
> Hope this helps.
I used authcId already with no avail. I tested almost any possible
parameter combination.
On the remote server password assertion of admanager and dieter is
successful performed but after password assertion no bind operation
with any of those identities is performed.
,----[ password asertion by admanager ]
| slapd[7079]: => slap_access_allowed: no res from state (userPassword)
| slapd[7079]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci
| ,c=de", attr "userPassword" requested
| slapd[7079]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0)
| slapd[7079]: <= check a_dn_pat: self
| slapd[7079]: <= check a_dn_pat: users
| slapd[7079]: <= acl_mask: [2] applying read(=rscxd) (stop)
| slapd[7079]: <= acl_mask: [2] mask: read(=rscxd)
| slapd[7079]: => slap_access_allowed: read access granted by read(=rscxd)
| slapd[7079]: => access_allowed: read access granted by read(=rscxd)
`----
,----[ anonymous search ]
| slapd[7079]: => acl_mask: access to entry "cn=Deszo Laszlo,ou=adressbuch,o=avci
| ,c=de", attr "sn" requested
| slapd[7079]: => acl_mask: to all values by "", (=0)
| slapd[7079]: <= check a_dn_pat: cn=admanager,o=avci,c=de
| slapd[7079]: <= check a_dn_pat: users
| slapd[7079]: <= acl_mask: no more <who> clauses, returning =0 (stop)
| slapd[7079]: => slap_access_allowed: search access denied by =0
| slapd[7079]: => access_allowed: no more rules
`----
I have got the impression that the idassert-bind parameters are never
passed to the remote server. If I disable acl-bind parameters and only
use idassert-bind parameters, back-ldap complains about
SASL [conn=0] Failure: no secret in database
but no connection is made to the remote server in order to verify the
credentials.
I must admit that on the remote server I have successfully configured
sasl proxyauthentication by means of ldapdb. All I want to do, is to
put back-ldap on a postfix server and use sasl auxprop ldapdb
against back-ldap.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6