Re: slapd-{ldap,meta} && authentication

[Howard Chu <hyc@symas.com>]

Pierangelo Masarati wrote:

> > This works exactly as planed when slapd is using a 'bdb' backend, but
> > not 'ldap' (or 'meta' for that matter).
> >
> > What am I missing? Note that I don't want _ANY_ rewriting
> > or anything. The 'meta' slapd should match exactly the master...
> >
> > I'll be trying 'overlay' later to have the cache 'on file', but
> > currently that gives me errors, so I'll stick to one problem at
> > the time...
> >
> >
> > I've been trying to check the mail archives but that doesn't
> > show me ANYTHING that have to do with _authentication_, only
> > _searches_...

> Exactly.  You cannot perform SASL bind with back-ldap.  You're supposed to
> use simple auth.  If you use HEAD code, you can have the proxy bind with
> SASL to the remote server, and eventually proxyAuthz your local identity
> (see idassert-* in HEAD's slapd-ldap(5)).  Note that proxying SASL auth
> might be impossible, and at least mechanism dependent (as far as I
> understand of SASL).

This is not completely true. back-ldap does support sasl-regexp mapping, 
or it did the last time I worked with it. It will not be able to proxy 
any credentials, true. But for mechs like EXTERNAL and GSSAPI that is 
not necessary and this setup *should* work, and has worked for me in the 
past. If it does not now, this is a bug that should be filed in ITS.

I note the original poster is using back-meta, and I have never tested 
sasl-regexp with back-meta. It very well may never have worked. But 
certainly back-ldap did.
--
  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support