[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP proxy and memberOf overlay



I haven't done this myself, but I suspect you'd want to use the translucent proxy backend instead of the normal back_ldap one. Check the man page for slapo-translucent.


On Wed, Feb 12, 2014 at 9:24 AM, Ingo Mailinglists <ingo.mailinglists@gmail.com> wrote:
Hi List,

I am currently stuck with setting up OpenLDAP servers to fully address
my use case. I hope someone here can point me in the right direction. I
think it comes down to the point at where I do not know how to use the
memberOf overlay with an LDAP proxy (back_ldap).

First the use case:
* I have a corporate OpenLDAP server that holds entries for our employees
* There are also multiple http-based services which are allowed to be
used after successful user authentication and given that group
membership requirements are met.
* The http-based services need to be accessed by both internal employees
(those for which entries are stored in the corporate OpenLDAP server)
and external people (for which there are no user entries yet).

The task is to come up with an approach that supports the following:
* allow the http-based services to authenticate both internal and
external users against an OpenLDAP server
* allow authorization based on group memberships
* entries that represent external people are not allowed to be stored in
the existing corporate OpenLDAP server
* entries that represent group memberships are not allowed to be stored
in the existing corporate OpenLDAP server
* in general, no changes to the corporate OpenLDAP server are allowed at all

Here is my approach so far:
* I have set up a new OpenLDAP server with two databases.
* The first is a local hdb database. The suffix is set to a subordinate
of the corporate OpenLDAP server.
* The second is a ldap database, which points to and has the same suffix
as the corporate OpenLDAP server.

The purpose of the local hdb database is twofold
* it should store entries for external people
* it should store the group memberships for both external people and
employees from my own company

I did some tests with Apache 2.2.22, mod_ldap and mod_authnz_ldap. I can
authenticate both types of users (external from hdb and internal from
ldap). I can even authorize them based on their group membership (using
groupOfNames stored in the local hdb database). The group membership
check also works for user entries that are proxied via the ldap database
backend.

However, the approach fails for services that need the memberOf overlay
for making authorization decisions based on group membership (ownCloud
is such an example). I have enabled the memberOf overlay for the local
hdb database. So external users are not the problem. However, I cannot
enable it for the ldap database, as I am not allowed to make any changes
to the user entries of the corporate OpenLDAP server. That is, I am not
allowed to add the memberOf attribute to the respective entries - even
if ACLs would allow me to do so.

Now this is the point where I am stuck. Basically, I am looking for a
way to add the memberOf attribute to proxied user entries locally on my
new OpenLDAP server, without affecting the entries in the corporate
OpenLDAP server.

Any help that might point me in the right direction is highly appreciated.

Thanks,
Ingo