[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlled LDAP Proxy/Relay

To: Liam Gretton <liam.gretton@leicester.ac.uk>
Subject: Re: Controlled LDAP Proxy/Relay
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Thu, 1 Mar 2012 11:41:42 +0100
Authentication-results: mr.google.com; spf=pass (google.com: domain of clem.oudot@gmail.com designates 10.68.211.168 as permitted sender) smtp.mail=clem.oudot@gmail.com; dkim=pass header.i=clem.oudot@gmail.com
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=4uU0eoRij/YilzJokN+5k1cJ0UG3Jc6be573tO/CsjU=; b=ffd4C1SNCcAgw/u3i/nH/bpMU14Fjht3mGE/dHdvdYPfMwhFyoT/oeyV61R29FCDCr VQVlRebbR1JM1Z2XkWH68DZCXNodkkMXW7gAZu0UGZI/Mi+xZVRWMNmk4ihTjPHfz5Ek k/eeHpcHwXAB10GPnB/IzMhqgN0MyWy9z1TPI=
In-reply-to: <4F4F4987.5010909@leicester.ac.uk>
References: <B5F1B536D314ED4B9B2F92875B447670D225FEAB93@HE111542.emea1.cds.t-internal.com> <4F4F4987.5010909@leicester.ac.uk>

Le 1 mars 2012 11:03, Liam Gretton <liam.gretton@leicester.ac.uk> a écrit :
> On 08/02/2012 09:58, W.Siebert@t-systems.com wrote:
>
>> Is it possible to implement the controlled proxy with OpenLDAP ?
>> E.g., like Radiusproxy based on realm: when username is _xxx@domain01.com_
>> <mailto:xxx@domain01.com>  go to the target1, and when username is
>> _xxx@domain99.net_<mailto:xxx@domain99.net>  go to the target2.
>
>
> Yes, a combination of meta database config in slapd.conf and appropriate
> SASL config.
>
> In your schema, use the following in userPassword:
>
> userPassword: {SASL}xxx@DOMAIN
>
> where DOMAIN is whichever domain the user needs to be authenticated against.
>
> In slapd.conf:
>
> database     meta
> suffix       dc=local
> rootdn       cn=administrator,dc=local
> rootpw       secret
>
> # domain01
> uri   ldaps://domain01.com:3269/ou=domain01.com,dc=local
> lastmod     off
> suffixmassage  "ou=domain01.com=local" "dc=domain01,dc=com"
>
> idassert-bind           bindmethod=simple
>                        binddn="cn=binder,dc=domain01,dc=com"
>                        credentials="password"
>                        flags=non-prescriptive
>
> idassert-authzFrom      "dn.exact:cn=administrator,dc=local"
>
> # domain02
> uri   ldaps://domain02.com:3269/ou=domain02.com,dc=local
> lastmod     off
> suffixmassage  "ou=domain02.com=local" "dc=domain02,dc=com"
>
> idassert-bind           bindmethod=simple
>                        binddn="cn=binder,dc=domain02,dc=com"
>                        credentials="password"
>                        flags=non-prescriptive
>
> idassert-authzFrom      "dn.exact:cn=administrator,dc=local"
>
> In saslauthd.conf you need to create the appropriate search base for
> authentication based on the domain in the userPassword field:
>
> ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta
> ldap_search_base: ou=%d,dc=local
> ldap_filter: (sAMAccountName=%U)
> ldap_auth_method: bind
>
> ldap_bind_dn: cn=administrator,dc=local
> ldap_password: secret
>
> ldap_deref: never
> ldap_use_sasl: no
>
> Hopefully this is enough info to get you going.

I wrote a complete documentation on how manage this with back-meta or back-ldap:
http://ltb-project.org/wiki/documentation/general/sasl_delegation

Hope it helps,

Clément.

References:
- Re: Controlled LDAP Proxy/Relay
  - From: Liam Gretton <liam.gretton@leicester.ac.uk>

Prev by Date: Re: Controlled LDAP Proxy/Relay
Next by Date: Re: LDAP_OPT_X_TLS_xxx option in SSL/TLS connection
Index(es):
- Chronological
- Thread