[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Certificate authentication and back-ldap proxy



Hi,

Am Mon, 27 Dec 2010 15:15:21 +0000
schrieb Ubay Dorta Guerra <udorta@iac.es>:

> Hi,
> 
> El 23/04/10 17:17, masarati@aero.polimi.it escribió:
> >
> > The problem is that you probably do not realize that the proxy
> > cannot do a cert-based authentication on behalf of the client
> > because it doesn't have the client's private key (which is
> > correct).  You need the proxy perform an identity assertion: bind
> > to the remote server with its own identity, and then assert the
> > client's identity using proxy authorization.
> >
> > To do this, you need to:
> >
> > a) define some means for the proxy to bind to the remote server,
> > e.g. using cert-based SASL EXTERNAL, or simple bind under TLS, or
> > whatever;
> >
> > b) configure the remote server so that the proxy's identity defined
> > in (a) is allowed to proxy authz as whatever client's identity you
> > want to accept; this requires to use the directive "authz-policy";
> > you may need to use the "authz-regexp" if you intend to map the
> > client's identity; and you'll need to populate the "authzTo"
> > operational attribute of the entry corresponding to the proxy's
> > identity.
> >
> > c) add to the proxy configuration the directive
> >
> > idassert-bind bindmethod=<what you chose for (a)>
> >     <bind parameters for (a)>
> >     mode=self
> >
> >   
> 
>      The simple bind under TLS worked but when i try to use cert-based
> SASL EXTERNAL authentication i get no success.
> 
>    In the proxy server configuration i add the following directive
> 
> idassert-bind   bindmethod=sasl
>                 saslmech=EXTERNAL
>                 binddn="CN=proxy-server1.example.com,O=Internet

the binddn should be empty or just don't configure a binddn.

> Widgits Pty Ltd,ST=Some-State,C=AU"
>                 tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
>                 tls_key=/etc/ssl/private/proxy-server1.example.com.key
>                 tls_cacertdir=/etc/ssl/cacerts/
>                 tls_reqcert=demand
>                 mode=self
> 
> 
>     In the master (remote) server i set:

Did you ever test the certificate chain?
Create a file ~/.ldaprc with
TLS_CERT /etc/ssl/certs/proxy-server1.example.com.pem
TLS_KEY  /etc/ssl/certs/proxy-server1.example.com.key
TLS_CACERTDIR /etc/ssl/cacerts

and run ldapwoami -Y EXTERNAL -ZZ ldap://your.host


-Dieter

-- 
Dieter Klünter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53°37'09,95"N
10°08'02,42"E