[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-meta and idassert-bind



Hello,
 
I've three servers with three different LDAP suffixes: ou=users, ou=ldap1 and ou=ldap2. Servers with ou=ldap1 and ou=ldap2 also have a replica of the ou=users suffix
LDAP0 : ou=users,dc=test,dc=com
LDAP1 : ou=ldap1,dc=test,dc=com and ou=users,dc=test,dc=com
LDAP2 : ou=ldap2,dc=test,dc=com and ou=users,dc=test,dc=com

Each application client, depending on which suffix needs to be accessed, connects to an instance or another.
I want to unify access using ldap proxy. It seems that slapd-meta fits my requirements.

I've configured this targets:
# LDAP0
suffix   "ou=users,dc=test,dc=com"
uri      "ldap://host1:389/ou=users,dc=test,dc=com"
# LDAP1
suffix   "ou=ldap1,dc=test,dc=com"
uri      "ldap://host2:389/ou=ldap1,dc=test,dc=com"
# LDAP2
suffix   "ou=ldap2,dc=test,dc=com"
uri      "ldap://host3:389/ou=ldap2,dc=test,dc=com"

If the client binds the proxy with cn=user1,ou=users,dc=test,dc=com, it's authenticated successfully against ldap0 and can access to ou=users,dc=test,dc=com, but if tries to access ou=ldap1,dc=test,dc=com or ou=ldap2,dc=test,dc=com it binds anonymously to the targets and can not access anything.

I've tried idassert-bind and works perfectly, but I was wondering if I can avoid the use of a "pseudo-root identity" who had privileges to assert the client's identity.
As LDAP1 and LDAP2 have the ou=users suffix could authenticate the credentials of the users who bounds the proxy.
I don't know if it's possible with slapd-meta, but the idea is that client's user/password will be send directly to targets for binding so there's no need of id assertion.
The proxy simply passthrough the user/password to the targets.

Is this possible or I have to use idassert-bind?

Thanks