[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain authentication bind configuration

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Chain authentication bind configuration
From: Dave Stoll <dave.stoll@mac.com>
Date: Sun, 13 Jan 2008 17:12:39 -0500
In-reply-to: <47879BDE.9060906@suretecsystems.com>
Thread-index: AchWMWiyp3ic+MIkEdyCYwAX8vW9tQ==
Thread-topic: Chain authentication bind configuration
User-agent: Microsoft-Entourage/11.3.6.070618

This worked perfect.  The flag "non-prescriptive" was exactly what I needed
to statically-force the binddn for the chain.  The end use for this is an
LDAP server which acts as a "superroot" tree for multiple active directory
systems in an 802.1x switch authorization service.

Thanks for your help Gavin.


On 1/11/08 11:39 AM, "Gavin Henry" <ghenry@suretecsystems.com> wrote:

> Dave Stoll wrote:
>> Yeah that was my thought.  I've tried about a dozen different combinations
>> and I run into one problem..
>> 
>> First, rebind-as-user and chain-idassert-bind seem to only work properly
>> when I bind to openldap anonymously.
> 
> Have a look at mode and flags in "man slapd-ldap", test032-chain and
> tests/data/slapd-chain*.conf
> 
>> 
>> The other problem is that the user authentication can't be passed along
>> because this is essentially being built to provide access to two completely
>> separate active directory ldap servers for user authorization from a common
>> remote access platform.  We'd use radius, but radius in the case can't be
>> used for authorization, only authentication....
>> 
>> Basically I've hacked the active directory 2003 server to allow anonymous
>> bind and read in the cn=users,dc=domain,dc=local container to
>> unauthenticated users.  Unfortunately, I don't think my (government)
>> customer will want to do that in production.
>> 
>> Essentially I need to statically configure a bind DN and password in the
>> chain-idassert-bind that will be used for the connection back to the AD LDAP
>> server for the query.  Most of what I found in the documentation centers
>> around allowing bind users' authentication to be passed through the
>> connection so long as it matches a "bind allow access list".
>> 
>> It seems  that something in the "from/to" rules may apply, but I am just
>> having trouble getting my hands around exactly what the combination is.
>> 
>> When I do a tcpdump on the network, the chain is working.  The openldap
>> server actually makes a bind request to AD and follows the reference for the
>> client.  The problem is the bind is simple and empty (rfc definition for
>> anonymous bind).
>> 
>> I'll spend some more time this weekend tinkering, but if you can think of
>> any knobs I need to set I'd certainly welcome the help.
>> 
>> Cheers,
>> Dave
>> 
>> 
>> On 1/11/08 10:09 AM, "Gavin Henry" <ghenry@suretecsystems.com> wrote:
>> 
>>> Dave Stoll wrote:
>>>> I'm on 2.4.7
>>>> 
>>> I take it you are using the chain overlay?
>>> 
>>> I think you can use chain-rebind-as-user and chain-idassert-bind
>>> 
>>> 
>>> man slapo-chain
>> 
> 

-- 
Dave Stoll
echo mac | sed 's/^/dave.stoll@/;s/$/.com/'

References:
- Re: Chain authentication bind configuration
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: Re: Subtree renames and memberOf handling
Next by Date: Re: Subtree renames and memberOf handling
Index(es):
- Chronological
- Thread