[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP proxy, identity assertion and suffix massage



Hello,

I am using OpenLDAP 2.4.26 on GNU/Linux. I would like to configure a
simple proxy with identity assertion and suffix massage and assert
identity for the rootdn of my LDAP backend, to match the rootdn of the
proxied backend (on port 390).

Here is my configuration :

------------
database        ldap
suffix          "ou=am,dc=local"
rootdn "cn=manager,ou=am,dc=local"
rootpw secretproxy

uri ldap://127.0.0.1:390

idassert-bind bindmethod=simple
   binddn="cn=admin,dc=example,dc=com"
   credentials="secret"
   mode=none
idassert-authzFrom "dn.exact:cn=manager,ou=am,dc=local"

overlay rwm
rwm-suffixmassage   "ou=am,dc=local" "dc=example,dc=com"
------------


When I try to authenticate with "cn=manager,ou=am,dc=local" on the
proxy, the bind is forwarded to the proxied directory directly, as
"cn=manager,dc=example,dc=com". It seems the rwm overlay has done the
substitution, so the idassert-authzFrom does not match. This ended
with an LDAP error 48, as we can see here:

------------
>>> dnPrettyNormal: <cn=manager,ou=am,dc=local>
=> ldap_bv2dn(cn=manager,ou=am,dc=local,0)
<= ldap_bv2dn(cn=manager,ou=am,dc=local)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,ou=am,dc=local)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,ou=am,dc=local)=0
<<< dnPrettyNormal: <cn=manager,ou=am,dc=local>, <cn=manager,ou=am,dc=local>
conn=1001 op=0 BIND dn="cn=manager,ou=am,dc=local" method=128
do_bind: version=3 dn="cn=manager,ou=am,dc=local" method=128
==> rewrite_context_apply [depth=1] string='cn=manager,ou=am,dc=local'
==> rewrite_rule_apply rule='((.+),)?ou=am,[ ]?dc=local$'
string='cn=manager,ou=am,dc=local' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'cn=manager,dc=example,dc=com'}
[rw] bindDN: "cn=manager,ou=am,dc=local" -> "cn=manager,dc=example,dc=com"
>>> dnPrettyNormal: <cn=manager,dc=example,dc=com>
=> ldap_bv2dn(cn=manager,dc=example,dc=com,0)
<= ldap_bv2dn(cn=manager,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
<<< dnPrettyNormal: <cn=manager,dc=example,dc=com>,
<cn=manager,dc=example,dc=com>
===>slap_sasl_match: comparing DN cn=manager,dc=example,dc=com to rule
dn:cn=manager,ou=am,dc=local
slap_parseURI: parsing dn:cn=manager,ou=am,dc=local
<===slap_sasl_match: comparison returned 48
send_ldap_result: conn=1001 op=0 p=3
send_ldap_result: err=48 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=48
------------


Do you have any suggestion for using the idassert-authzFrom parameter
with the suffixmassage?


Thanks for your help,

Clément.