[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strong bind with back-ldap



Hello,

Pierangelo Masarati <ando@sys-net.it> writes:

> Dieter Kluenter wrote:

>> | uri             ldap://localhost:389
>> | acl-bind
>> |         bindmethod=sasl
>> |         saslmech=digest-md5
>> |         authcId=admanager
>> |         credentials=mailer
>> | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
>> | idassert-bind
>> |         bindmethod=sasl
>> |         saslmech=digest-md5
>> |         authzId=u:admanager
>
> ^^^ you should use authcId=admanager (or whatever identity you want to
> use as the proxy identity) much like for acl-bind...  With the above, as
> far as I understand, you sort of try to bind anonymously and authz as
> admanager, which is unlikely to succeed (but I think it's trapped
> earlier by the proxy and nothing is actually sent to the remote server
> with respect to identity assertion; then the failure at the server's side).
>
> Hope this helps.

I used authcId already with no avail. I tested almost any possible
parameter combination.
On the remote server password assertion of admanager and dieter is
successful performed but after password assertion no bind operation
with any of those identities is performed.

,----[ password asertion  by admanager ]
| slapd[7079]: => slap_access_allowed: no res from state (userPassword)
| slapd[7079]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci
| ,c=de", attr "userPassword" requested
| slapd[7079]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) 
| slapd[7079]: <= check a_dn_pat: self
| slapd[7079]: <= check a_dn_pat: users
| slapd[7079]: <= acl_mask: [2] applying read(=rscxd) (stop)
| slapd[7079]: <= acl_mask: [2] mask: read(=rscxd)
| slapd[7079]: => slap_access_allowed: read access granted by read(=rscxd)
| slapd[7079]: => access_allowed: read access granted by read(=rscxd)
`----

,----[ anonymous search ]
| slapd[7079]: => acl_mask: access to entry "cn=Deszo Laszlo,ou=adressbuch,o=avci
| ,c=de", attr "sn" requested
| slapd[7079]: => acl_mask: to all values by "", (=0) 
| slapd[7079]: <= check a_dn_pat: cn=admanager,o=avci,c=de
| slapd[7079]: <= check a_dn_pat: users
| slapd[7079]: <= acl_mask: no more <who> clauses, returning =0 (stop)
| slapd[7079]: => slap_access_allowed: search access denied by =0
| slapd[7079]: => access_allowed: no more rules
`----

I have got the impression that  the idassert-bind parameters are never
passed to the remote server. If I disable acl-bind parameters and only
use idassert-bind parameters, back-ldap complains about 
SASL [conn=0] Failure: no secret in database 
but no connection is made to the remote server in order to verify the
credentials. 

I must admit that on the remote server I have successfully configured
sasl proxyauthentication by means of ldapdb. All I want to do, is to
put  back-ldap on a postfix server and use sasl auxprop ldapdb
against back-ldap.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6