[Date Prev][Date Next] [Chronological] [Thread] [Top]

ProxyAuth via slapd-ldap woes



Hello, I'm having the hardest time getting ProxyAuth working to FDS via the OpenLDAP slapd-ldap module.

I'm currently using Kerberos SASL bind to the OpenLDAP proxy server, which performs a search of the associated user DN on the FDS server. This part works fine. But when SLAPD attempted to perform proxyauth for that user, I receive the following error from FDS:

# search result
search: 4
result: 2 Protocol error
text: unable to parse proxied authorization control

I have tested proxyauth via other methods and they work fine.

I have the following in my slapd.conf file:

# SASL

sasl-realm      CORP.COMPANY.COM
sasl-host       ldap03.corp.company.com
sasl-secprops           minssf=56
# Regexp for SASL authentication:
authz-regexp
        uid=(.*),cn=corp.company.com,cn=gssapi,cn=auth
        ldap:///dc=corp,dc=company,dc
=com??sub?(uid=$1)

authz-policy to
authzTo=ldap:///dc=corp,dc=company,dc=com??sub?(objectclass=person)
#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database        ldap
suffix          "dc=corp,dc=company,dc=com"
#uri            "ldaps://ldap01.corp.company.com/dc=corp,dc=company,dc=com"
uri             "ldap://ldap01.corp.company.com/"
acl-bind        bindmethod=simple
                binddn="uid=proxyadmin,cn=users,cn=bindaccounts,dc=corp,dc=company,dc=com"
                credentials="password"

idassert-authzFrom "dn:*"
idassert-bind   bindmethod=simple
                binddn="uid=proxyadmin,cn=users,cn=bindaccounts,dc=corp,dc=company,dc=com"
                credentials="password"
                mode=self


Not sure if it's helpful but here is the output in the logs at the event:

Apr  8 16:17:39 ldap03 slapd[3166]: ===>slap_sasl_match: comparing DN uid=dejongm,cn=opssec,cn=users,cn=accounts,dc=corp,dc=company,dc=com to rule dn:*
Apr  8 16:17:39 ldap03 slapd[3166]: slap_parseURI: parsing dn:*
Apr  8 16:17:39 ldap03 slapd[3166]: <===slap_sasl_match: comparison returned 0
Apr  8 16:17:39 ldap03 slapd[3166]: ===>slap_sasl_match: comparing DN uid=dejongm,cn=opssec,cn=users,cn=accounts,dc=corp,dc=company,dc=com to rule dn:*
Apr  8 16:17:39 ldap03 slapd[3166]: slap_parseURI: parsing dn:*
Apr  8 16:17:39 ldap03 slapd[3166]: <===slap_sasl_match: comparison returned 0
Apr  8 16:17:39 ldap03 slapd[3166]: send_ldap_result: conn=0 op=3 p=3
Apr  8 16:17:39 ldap03 slapd[3166]: send_ldap_result: err=2 matched="" text="unable to parse proxied authorization control"
Apr  8 16:17:39 ldap03 slapd[3166]: send_ldap_response: msgid=4 tag=101 err=2
Apr  8 16:17:39 ldap03 slapd[3166]: conn=0 op=3 SEARCH RESULT tag=101 err=2 nentries=0 text=unable to parse proxied authorization control


Any suggestions would be appreciated.

-Mark