[Date Prev][Date Next] [Chronological] [Thread] [Top]

more back-ldap



I've added a "proxy-whoami" keyword for back-ldap's configuration. When set,
back-ldap loads a new handler for the WhoAmI extop that replaces slapd's
built-in handler. The new handler does exactly the same as the old one,
except - if the op had a proxy authz control, and the connection was
authenticated by back-ldap, then the WhoAmI is forwarded with a ProxyAuthz
control to the remote LDAP server.

Note that the slapd front-end has already processed the ProxyAuthz control,
so the control that back-ldap forwards is using a DN, not a userID. Generally
this will be a SASL DN of the form "uid=foo,cn=auth".

I've also updated contrib/ldapsasl to use the ProxyAuthz control.

Here's the setup that I'm using with this...

###
/usr/lib/sasl2/sample.conf:
ldapdb_uri: ldapi://
ldapdb_mech: EXTERNAL

###
proxy-slapd.conf:
sasl-regexp uidNumber=0+gidNumber=0,(.*)=peercred,cn=external,cn=auth \
	"$1=manager,dc=example,dc=com"

database ldap
suffix	dc=example,dc=com
uri		ldap://ldap.example.com
rootdn	cn=manager,dc=example,dc=com
binddn	cn=manager,dc=example,dc=com
bindpw	secret
proxy-whoami

###
master-slapd.conf:
sasl-regexp uidNumber=0+gidNumber=0,(.*)=peercred,cn=external,cn=auth \
	"$1=manager,dc=example,dc=com"
sasl-regexp uid=([^,]*),.*cn=auth \
	ldap:///ou=people,dc=example,dc=com??sub?(uid=$1)

database bdb
suffix	dc=example,dc=com
rootdn	cn=manager,dc=example,dc=com
rootpw	secret
directory	/var/openldap-data

###
I have to do some fudging to map the Unix root user to the directory rootdn -
sasl-regexp doesn't do anything if both strings are constants. Since I'm
mapping a constant user name, I had to insert a harmless string substitution
into the regexp. (Using ldapi with SASL/EXTERNAL, root's SASL DN is
"uidNumber=0+gidNumber=0,cn=peercred,cn=external,cn=auth" and I just want
this to be mapped to the directory's rootDN.)

Anyway, it's all working as desired - I can set up a back-ldap proxy on a
machine and point everything at it (pam, nss, SASL) using ldapi. The proxy
can forward all requests to a remote slapd over one or two pooled SSL
sessions. This avoids the expensive SSL setup overhead, keeps the SASL
username-to-DN mapping configured solely on the master slapd, and lets
pam/nss distinguish between root and non-privileged users without having to
scatter more secrets everywhere.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support