[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Controlled LDAP Proxy/Relay
On 08/02/2012 09:58, W.Siebert@t-systems.com wrote:
Is it possible to implement the controlled proxy with OpenLDAP ?
E.g., like Radiusproxy based on realm: when username is _xxx@domain01.com_
<mailto:xxx@domain01.com> go to the target1, and when username is
_xxx@domain99.net_<mailto:xxx@domain99.net> go to the target2.
Yes, a combination of meta database config in slapd.conf and appropriate
SASL config.
In your schema, use the following in userPassword:
userPassword: {SASL}xxx@DOMAIN
where DOMAIN is whichever domain the user needs to be authenticated against.
In slapd.conf:
database meta
suffix dc=local
rootdn cn=administrator,dc=local
rootpw secret
# domain01
uri ldaps://domain01.com:3269/ou=domain01.com,dc=local
lastmod off
suffixmassage "ou=domain01.com=local" "dc=domain01,dc=com"
idassert-bind bindmethod=simple
binddn="cn=binder,dc=domain01,dc=com"
credentials="password"
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=local"
# domain02
uri ldaps://domain02.com:3269/ou=domain02.com,dc=local
lastmod off
suffixmassage "ou=domain02.com=local" "dc=domain02,dc=com"
idassert-bind bindmethod=simple
binddn="cn=binder,dc=domain02,dc=com"
credentials="password"
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=local"
In saslauthd.conf you need to create the appropriate search base for
authentication based on the domain in the userPassword field:
ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta
ldap_search_base: ou=%d,dc=local
ldap_filter: (sAMAccountName=%U)
ldap_auth_method: bind
ldap_bind_dn: cn=administrator,dc=local
ldap_password: secret
ldap_deref: never
ldap_use_sasl: no
Hopefully this is enough info to get you going.
--
Liam Gretton liam.gretton@le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom