[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.4.21 - back-ldap + pcache ... backend binding

To: "repudi8or repu" <repudi8or@gmail.com>
Subject: Re: openldap 2.4.21 - back-ldap + pcache ... backend binding
From: masarati@aero.polimi.it
Date: Tue, 27 Apr 2010 05:55:45 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <k2qccd4e16f1004261953r3eb4be1aj9526d65bb632150f@mail.gmail.com>
References: <k2qccd4e16f1004261953r3eb4be1aj9526d65bb632150f@mail.gmail.com>
User-agent: SquirrelMail/1.4.15

>  Hi Folks,
>
> I am having troubles configuring openladp to my requirements.
>
> I am setting up an openldap server running on solaris 10 x86 to use as
> a ldap proxy authentication server.
>
> My issue is that i cant get it to send authenticated simple binds to the
> backend ldap system. I am running wireshark and when i ldapsearch direct
> to
> the backend ldap i see a bind which looks like this :-
> Lightweight-Directory-Access-Protocol
>     LDAPMessage bindRequest(1)
> "cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" simple
>         messageID: 1
>         protocolOp: bindRequest (0)
>             bindRequest
>                 version: 3
>                 name:
> cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com
>                 authentication: simple (0)
>                     simple: 384174656C73747261316732
>
> However when i initiate an ldapsearch to my local solaris slapd and
> capture
> the proxied backldap bind to the backend ldap system it looks like this :-
> Lightweight-Directory-Access-Protocol
>     LDAPMessage bindRequest(1) "<ROOT>" simple
>         messageID: 1
>         protocolOp: bindRequest (0)
>             bindRequest
>                 version: 3
>                 name:
>                 authentication: simple (0)
>                     simple: <MISSING>
>
> I am having trouble working out from the documentation if it should be
> acl-bind or idassert-bind or some other option which influences the
> backend
> bind. I have tried both those to no avail.
> Here is the "database ldap" section from my slapd.conf
>
> #######################################################################
> # ldap database definitions
> #######################################################################
> database ldap
> uri "ldap://backendldap.core.dir.mycompany.com";
> suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
> rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
> acl-bind bindmethod=simple
> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
> credentials="password"
> idassert-bind bindmethod=simple
> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
> credentials="password"

The relevant directive is "idassert-bind", since you appear to be looking
for an identity assertion.  I hope what you posted was screwed up by the
mailer: continuation lines must start with whitespace.  What is missing
above is the "mode=self" parameter to "idassert-bind".  Try something like

idassert-bind bindmethod=simple
    binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
    credentials="password"
    mode=self

p.

> overlay pcache
> proxycache bdb 400 1 50 1200
> directory       /var/openldap-data
> cachesize 10000
> index cn,sn,uid pres,eq,sub
> index objectclass eq
>
> proxycachequeries 400
> proxyattrset 0 uid mail cn sn givenName
> proxytemplate (uid=) 0 600
> proxytemplate (mail=) 0 600
> proxytemplate (&(uid=)(mail=)) 0 600
>
> Any help would be greatly appreciated
>
> Regards Rep
>

References:
- openldap 2.4.21 - back-ldap + pcache ... backend binding
  - From: repudi8or repu <repudi8or@gmail.com>

Prev by Date: openldap 2.4.21 - back-ldap + pcache ... backend binding
Next by Date: Re: openldap 2.4.21 - back-ldap + pcache ... backend binding
Index(es):
- Chronological
- Thread