[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
back_meta and referrals authentication
- To: openldap-technical@openldap.org
- Subject: back_meta and referrals authentication
- From: Javier Sanz <jsceballos@gmail.com>
- Date: Fri, 24 Sep 2010 14:00:16 +0200
- Cc: "javier.sanz" <javier.sanz@pandasecurity.com>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:date:message-id :subject:from:to:cc:content-type; bh=QrR3RUkD2Kq2I4tBVCBqHRG6M4SPsgyO/Vl7h7jLL4M=; b=FucSAXaJW6TxN1MSvT0fFl2szZmwN9ps1v/bSpm5y8bqjTt5DgFQNZwgxj0Hv3WpNl 0R8D//ewDdwKkytzFK8aFh0EvCrf9Pb6s9NE/IlpG+j6cFkqzdGDUgjQbdE0/Uw8Re8G 4n81nIDkJd35RIsJh0ooXoMx6aE38oT6VONSE=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:cc:content-type; b=XraoYwU9x9kfiwDv9i5VfT8kjCEUKUeazPRVN1ocn5sV3S5+hSpbrgO9PVoDxFiJMR Qj3G6HrYUUR9r8HkmGFX29/eR3qYfiPRvtYT5QAnVBSOj/Qtds1O6q1o7j+Atc0zSnjo y7w6WXdCs6M/ZuRvltVDanWwEkGcR1Cz3nTN0=
Hi,
After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it
looks like the bindings to the referrals of the external LDAP servers
are no longer being made using the authentication information
specified in pseudorootdn and pseudorootpw, but are being made
anonymously. I have a backend meta that encapsulates a local LDAP
server and some remote ones, mainly Active Directory ones not under my
control. It also has a pcache overlay. Until now, pseudoroot* auth.
info. was used both when binding to Active Directories and when
chasing their referrals, but now it is only being used to bind to the
ADs and the binds to their referrals are being made anonymously.
Is that behavior still supported?. When slapd starts, it prints:
line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use
"idassert-bind" and "idassert-authzFrom" instead.
But slapd starts correctly. Does that mean that the directive works as
it used to but it will be removed in the future, or that its
functionality is deactivated until the user replaces it with
idassert-bind?.
If it is the former, then the problem should be related to some other
change between 2.3 and 2.4, what could it be?.
If it is the later and pseudorootdn must be replaced with
ideassert-bind, I have tried it with all kinds of modes (none, self,
legacy), flags, and different idassert-authzFrom's,
with no sucess.
I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried
upgrading to 2.4.17 with the same results. Bindings from clients to my
server are always done using the same DN (rootdn).
It has been some days now since I started looking into this, so any
help is greatly appreciated.
Here is the relevant config:
(...includes...)
loglevel config stats stats2
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_ldap
moduleload back_meta
moduleload pcache
allow update_anon
access to * by * write
database meta
suffix "dc=myldap,dc=local"
rootdn "cn=manager,dc=myldap,dc=local"
rootpw "passwd"
chase-referrals yes
rebind-as-user no
dncache-ttl forever
network-timeout 5
nretries 5
idle-timeout 5m
pseudoroot-bind-defer yes
overlay pcache
(...cache options..)
uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local"
suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com"
pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com"
pseudorootpw windowsadminpasswd
(...maps...)
Thanks,
Javier