[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta idassert with SASL EXTERNAL not working correctly

To: "Manuel Gaupp" <mgaupp@googlemail.com>
Subject: Re: slapd-meta idassert with SASL EXTERNAL not working correctly
From: masarati@aero.polimi.it
Date: Wed, 8 Sep 2010 17:14:24 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <3388_1283955486_4C879B1E_3388_1595_1_cd2e18729e23666965947b5353011894 .squirrel@www.aero.polimi.it>
References: <AANLkTik-8Fe+xWzeCqdhJi7vuYZLu71Co8ovnoma7QPB@mail.gmail.com> <3388_1283955486_4C879B1E_3388_1595_1_cd2e18729e23666965947b5353011894.squirrel@www.aero.polimi.it>
User-agent: SquirrelMail/1.4.15

>> Hi,
>>
>> I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers
>> using slapd-meta.
>> The remote servers require SASL EXTERNAL authentication, so I have to
>> configure TLS client auth.
>>
>> The relevant part of my slapd.conf looks like this:
>> -------------------------------------------------
>> database meta
>> suffix "dc=example"
>>
>> uri "ldaps://server2:636/cn=server2,dc=example"
>> idassert-authzFrom "dn:*"
>> idassert-bind bindmethod=sasl
>>              saslmech=EXTERNAL
>>              tls_cert=mycert.crt
>>              tls_key=mycert.key
>>              tls_cacert=trusted-ca.pem
>>              mode=none

Add

tls start

here to request TLS to be established on connections (see slapd-meta(5)
for details).  I think this should be implicitly enabled by idassert-bind
when it requires TLS (or at least its need should be documented).

p.

References:
- slapd-meta idassert with SASL EXTERNAL not working correctly
  - From: Manuel Gaupp <mgaupp@googlemail.com>

Prev by Date: Authenticate to ldap using Kerberos
Next by Date: Re: back-sql disconnects
Index(es):
- Chronological
- Thread