[Date Prev][Date Next] [Chronological] [Thread] [Top]

Openldap 2.2.4 SASL Proxy auth

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: Openldap 2.2.4 SASL Proxy auth
From: Tony Earnshaw <tonye@billy.demon.nl>
Date: Tue, 20 Jan 2004 13:23:46 +0100
Organization: Billy

- System: RedHat RHEL 3, system is production/test
- BDB 4.2.52 w/patch
- Cyrus SASL 2.1.15
- Openldap 2.2.4 ports 9000 plain & TLS, 9001 SSL, ldapi socket
/usr/local/ldaptest/var/ldapi perms 4755
install dir /usr/local/ldaptest
- Openldap 2.1.25 ports 389 plain & TLS, 636 SSL, ldapi socket
/usr/local/var/ldapi perms 4777
install dir /usr/local

Both Openldap instances are running separate databases, but with the
same DIT in each (completely independent of each other).

Running 2.1.25 for daily use and experimenting with 2.2.4 on the same
machine. I'm dependent on DIGEST-MD5 proxy auth (see Admin guide para.
10) for Postfix smtp AUTH over libldapdb.

2 questions:

1: It would be "nice" if I could configure both Openldap versions
separately. But I can't write a sasl-regexp for the the 2.2.4 instance
that refers to port 9001. This works:

sasl-regexp uid=(.*),cn=digest-md5,cn=auth
   "ldaps:///dc=billy,dc=demon,dc=nl??sub?uid=$1"

This doesn't:

sasl-regexp uid=(.*),cn=digest-md5,cn=auth
   "ldaps://localhost:9001/dc=billy,dc=demon,dc=nl??sub?uid=$1"

Is there any way of referring the regex to port 9001? At the moment, the
2.2.4 instance running on port 9001 is going to the 2.1.25 instance
*over ldapi* (that's what I have in ldap.conf) for authorization, which
is not what I want :) I'm running the 2.2.4 daemon from a Xterm console
at log level 7. I can see all this from the 2 separate log instances.

2: I have a saslAuthzTo operational (regex) attribute for the proxy user
cn=admin,dc=billy,dc=demon,dc=nl (my ACLs give him permission to
everything in the DIT) that works for 2.1.25, but not for 2.2.4:

cn=.*,dc=billy,dc=demon,dc=nl

But the following regex attribute *does* work for 2.2.4, though the
Admin guide (understandably) advises against it on grounds of
performance:

ldaps:///ou=people,ou=groups,dc=billy,dc=demon,dc=nl??sub?(objectclass=Person)

"How do you know these things do not work?" I can see from the logs and
the results of my command-line 'ldapwhoami'.

Can anyone confirm the above two points, or am I doing things wrong? 

Thanks for any comments,

--Tonni

-- 
mail: billy - at - billy.demon.nl
http://www.billy.demon.nl

Follow-Ups:
- RE: Openldap 2.2.4 SASL Proxy auth
  - From: "Howard Chu" <hyc@highlandsun.com>

Prev by Date: Re: starting out with openldap.
Next by Date: max length of search filters?
Index(es):
- Chronological
- Thread