[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Certificate authentication and back-ldap proxy
Hi,
El 28/12/10 12:00, openldap-technical-request@OpenLDAP.org escribió:
> Hi,
> Am Mon, 27 Dec 2010 15:15:21 +0000
> schrieb Ubay Dorta Guerra <udorta@iac.es>:
>
>
>> The simple bind under TLS worked but when i try to use cert-based
>> SASL EXTERNAL authentication i get no success.
>>
>> In the proxy server configuration i add the following directive
>>
>> idassert-bind bindmethod=sasl
>> saslmech=EXTERNAL
>> binddn="CN=proxy-server1.example.com,O=Internet
>>
> the binddn should be empty or just don't configure a binddn.
>
>
Thank you very much.
I have deleted the binddn in proxy configuration:
idassert-bind bindmethod=sasl
saslmech=EXTERNAL
tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
tls_key=/etc/ssl/private/proxy-server1.example.com.key
tls_cacertdir=/etc/ssl/cacerts/
tls_reqcert=demand
mode=self
Now when i make a password change:
ldapmodify -x -H ldaps://proxy-server1.example.com -f pass2_user.ldif -D
'uid=user_w_pass,ou=people,dc=example,dc=com' -W
Enter LDAP Password:
modifying entry "uid=user_w_pass,ou=people,dc=example,dc=com"
I get the following messages in syslog:
ldap-proxy[16709]: conn=1054 fd=8 TLS established tls_ssf=256 ssf=256
ldap-proxy[16709]: conn=1054 op=0 BIND
dn="uid=user_w_pass,ou=people,dc=example,dc=com" method=128
ldap-master[16879]: conn=1022 fd=20 TLS established tls_ssf=256 ssf=256
ldap-master[16879]: conn=1022 op=0 BIND
dn="uid=user_w_pass,ou=people,dc=example,dc=com" method=128
ldap-master[16879]: conn=1022 op=0 BIND
dn="uid=user_w_pass,ou=people,dc=example,dc=com" mech=SIMPLE ssf=0
ldap-master[16879]: conn=1022 op=0 RESULT tag=97 err=0 text=
ldap-proxy[16709]: conn=1054 op=0 BIND
dn="uid=user_w_pass,ou=people,dc=example,dc=com" mech=SIMPLE ssf=0
ldap-proxy[16709]: conn=1054 op=0 RESULT tag=97 err=0 text=
ldap-proxy[16709]: conn=1054 op=1 MOD
dn="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-proxy[16709]: conn=1054 op=1 MOD attr=userPassword
ldap-master[16879]: conn=1002 op=7 PROXYAUTHZ
dn="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-master[16879]: conn=1002 op=7 MOD
dn="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-master[16879]: conn=1002 op=7 MOD attr=userPassword
ldap-master[16879]: conn=1002 op=7 RESULT tag=103 err=0 text=
ldap-proxy[16709]: conn=1054 op=1 RESULT tag=103 err=0 text=
ldap-proxy[16709]: conn=1054 op=2 UNBIND
ldap-proxy[16709]: conn=1054 fd=8 closed
Regards.
---------------------------------------------------------------------------------------------
ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php
WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en
begin:vcard
fn:Ubay Dorta Guerra
n:Dorta Guerra;Ubay
org;quoted-printable;quoted-printable:Instituto de Astrof=C3=ADsica de Canarias;Servicios Infom=C3=A1ticos Comunes. Grupo de Sistemas y Comunicaciones.
adr;quoted-printable;quoted-printable;quoted-printable:San Antonio;;Cuesta de San Jos=C3=A9, S/N;Bre=C3=B1a Baja;Santa Cruz de Tenerife;38712;Espa=C3=B1a
email;internet:udorta@iac.es
title:Ingeniero
tel;work:+34922605367
version:2.1
end:vcard