[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-{ldap,meta} && authentication

To: "Turbo Fredriksson" <turbo@bayour.com>
Subject: Re: slapd-{ldap,meta} && authentication
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 22 Jul 2004 18:31:27 +0200 (CEST)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <87vfggcd65.fsf@papadoc.bayour.com>
References: <87vfggcd65.fsf@papadoc.bayour.com>
User-agent: SquirrelMail/1.4.3a-1

> I'd like to have a local slapd on my mailserver (QmailLDAP/Controls)
> which is readable only through a socket (ldapi) to spead things up
> for Qmail (at least I HOPE that it's going to be faster :).
>
> I tried to have a COPY of the database (which is replicated from the
> master). This work exeptionally well (even though it's not THAT much
> faster - barely noticable).
>
> But I don't want to risk inconsistencies, so I was thinking CACHING
> PROXY instead. Which, if I read the manuals correctly, would be
> provided by 'meta', not 'ldap'.... ?
>
> I can get results from the proxy, but I don't get ALL of it when
> using my (Kerberos V) ticket (using SASL). This works when the local
> slapd is a COPY (I use almost the exact same config files for the
> to attempts)...
>
> What don't work is the sasl-regexp... From 'ldapwhoami', I get
>
>         dn:uid=turbo,cn=swe.net,cn=gssapi,cn=auth
>
> and not the 'expected' (which I get on the 'master').
>
>         dn:uid=turbo,ou=people,o=swe.net ab,c=se
>
> This is part of the slapd.conf on the slave:
>
> ----- s n i p -----
> database                ldap
> default-target          none
> suffix                  "c=SE"
> uri                     "ldap://master/c=SE";
> dncache-ttl             60
> lastmod                 off
> proxy-whoami
> rebind-as-user
> ----- s n i p -----
>
> On both the 'slave' and 'master', I have this sasl-regexp (in one
> place to much!?):
>
> ----- s n i p -----
> sasl-regexp
>         uid=(.*),cn=(.*),cn=(.*),cn=auth
>         ldap:///c=SE??sub?(krb5PrincipalName=$1@SWE.NET)
> sasl-regexp
>         email=(.*),cn=(.*),ou=(.*),o=(.*),c=(.*)
>         ldap:///ou=$3,o=$4,c=$5??sub?(&(cn=$2)(|(mail=$1)(mailAlternateAddress=$1)))
> ----- s n i p -----
>
> This works exactly as planed when slapd is using a 'bdb' backend, but
> not 'ldap' (or 'meta' for that matter).
>
> What am I missing? Note that I don't want _ANY_ rewriting
> or anything. The 'meta' slapd should match exactly the master...
>
> I'll be trying 'overlay' later to have the cache 'on file', but
> currently that gives me errors, so I'll stick to one problem at
> the time...
>
>
> I've been trying to check the mail archives but that doesn't
> show me ANYTHING that have to do with _authentication_, only
> _searches_...
>

Exactly.  You cannot perform SASL bind with back-ldap.  You're supposed to
use simple auth.  If you use HEAD code, you can have the proxy bind with
SASL to the remote server, and eventually proxyAuthz your local identity
(see idassert-* in HEAD's slapd-ldap(5)).  Note that proxying SASL auth
might be impossible, and at least mechanism dependent (as far as I
understand of SASL).

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: slapd-{ldap,meta} && authentication
  - From: Howard Chu <hyc@symas.com>

References:
- slapd-{ldap,meta} && authentication
  - From: Turbo Fredriksson <turbo@bayour.com>

Prev by Date: Re: slapd-{ldap,meta} && authentication
Next by Date: LDAP-Browser cannot connect as admin ( LDAP-Beginners problem :-))) )
Index(es):
- Chronological
- Thread