[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Certificate authentication and back-ldap proxy



Hi,

El 23/04/10 17:17, masarati@aero.polimi.it escribió:
>
> The problem is that you probably do not realize that the proxy cannot do a
> cert-based authentication on behalf of the client because it doesn't have
> the client's private key (which is correct).  You need the proxy perform
> an identity assertion: bind to the remote server with its own identity,
> and then assert the client's identity using proxy authorization.
>
> To do this, you need to:
>
> a) define some means for the proxy to bind to the remote server, e.g.
> using cert-based SASL EXTERNAL, or simple bind under TLS, or whatever;
>
> b) configure the remote server so that the proxy's identity defined in (a)
> is allowed to proxy authz as whatever client's identity you want to
> accept; this requires to use the directive "authz-policy"; you may need to
> use the "authz-regexp" if you intend to map the client's identity; and
> you'll need to populate the "authzTo" operational attribute of the entry
> corresponding to the proxy's identity.
>
> c) add to the proxy configuration the directive
>
> idassert-bind bindmethod=<what you chose for (a)>
>     <bind parameters for (a)>
>     mode=self
>
>   

     The simple bind under TLS worked but when i try to use cert-based
SASL EXTERNAL authentication i get no success.

   In the proxy server configuration i add the following directive

idassert-bind   bindmethod=sasl
                saslmech=EXTERNAL
                binddn="CN=proxy-server1.example.com,O=Internet Widgits
Pty Ltd,ST=Some-State,C=AU"
                tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
                tls_key=/etc/ssl/private/proxy-server1.example.com.key
                tls_cacertdir=/etc/ssl/cacerts/
                tls_reqcert=demand
                mode=self


    In the master (remote) server i set:

#
# Authz
#
authz-policy to
authz-regexp "CN=proxy-server1.example.com,O=Internet Widgits Pty
Ltd,ST=Some-State,C=AU" cn=proxy_id,dc=example,dc=com

    The cn=proxy_id,dc=example,dc=com has the following content:

ldapsearch -LLL -b 'cn=proxy_id,dc=example,dc=com' -H
ldaps://proxy-server1.example.com -x -D 'cn=Manager,dc=example,dc=com'
-w secret authzTo
dn: cn=proxy_id,dc=example,dc=com
authzTo: ldap:///ou=people,dc=example,dc=com??sub?(objectClass=person)


      But when i try to modify a password through the proxy i get the
following error:
ldapmodify -x -H ldaps://proxy-server1.example.com -f pass2_user.ldif -D
'uid=user_w_pass,ou=people,dc=example,dc=com' -W
Enter LDAP Password:
modifying entry "uid=user_w_pass,ou=people,dc=example,dc=com"
ldap_modify: Insufficient access (50)

     With simple bind i got the following message in syslog:
ldap-master[11314]: conn=1002 op=1 PROXYAUTHZ
dn="uid=user_w_pass,ou=people,dc=example,dc=com"
    But not in the cert-based SASL EXTERNAL case.

    Is there something wrong in the configuration?

    Thanks in advance.

> This way, the proxy will:
>
> - authc the client locally
>
> - authc as itself with respect to the remote host
>
> - proxy operations adding the proxyAuthz control with the identity of the
> client
>
> See slapd-ldap(5) for details on the syntax of the idassert-* directives.
>
> p.
>
>   

---------------------------------------------------------------------------------------------
ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php
WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en
begin:vcard
fn:Ubay Dorta Guerra
n:Dorta Guerra;Ubay
org;quoted-printable;quoted-printable:Instituto de Astrof=C3=ADsica de Canarias;Servicios Infom=C3=A1ticos Comunes. Grupo de Sistemas y Comunicaciones.
adr;quoted-printable;quoted-printable;quoted-printable:San Antonio;;Cuesta de San Jos=C3=A9, S/N;Bre=C3=B1a Baja;Santa Cruz de Tenerife;38712;Espa=C3=B1a
email;internet:udorta@iac.es
title:Ingeniero
tel;work:+34922605367
version:2.1
end:vcard