[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-{ldap,meta} && authentication

To: "Howard Chu" <hyc@symas.com>
Subject: Re: slapd-{ldap,meta} && authentication
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 22 Jul 2004 22:12:51 +0200 (CEST)
Cc: "Turbo Fredriksson" <turbo@bayour.com>, openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <41001633.4080404@symas.com>
References: <87vfggcd65.fsf@papadoc.bayour.com> <48185.131.175.154.56.1090513887.squirrel@131.175.154.56> <41001633.4080404@symas.com>
User-agent: SquirrelMail/1.4.3a-1

> Pierangelo Masarati wrote:
>
>>>This works exactly as planed when slapd is using a 'bdb' backend, but
>>>not 'ldap' (or 'meta' for that matter).
>>>
>>>What am I missing? Note that I don't want _ANY_ rewriting
>>>or anything. The 'meta' slapd should match exactly the master...
>>>
>>>I'll be trying 'overlay' later to have the cache 'on file', but
>>>currently that gives me errors, so I'll stick to one problem at
>>>the time...
>>>
>>>
>>>I've been trying to check the mail archives but that doesn't
>>>show me ANYTHING that have to do with _authentication_, only
>>>_searches_...
>
>> Exactly.  You cannot perform SASL bind with back-ldap.  You're supposed
>> to
>> use simple auth.  If you use HEAD code, you can have the proxy bind with
>> SASL to the remote server, and eventually proxyAuthz your local identity
>> (see idassert-* in HEAD's slapd-ldap(5)).  Note that proxying SASL auth
>> might be impossible, and at least mechanism dependent (as far as I
>> understand of SASL).
>
> This is not completely true. back-ldap does support sasl-regexp mapping,
> or it did the last time I worked with it. It will not be able to proxy
> any credentials, true. But for mechs like EXTERNAL and GSSAPI that is
> not necessary and this setup *should* work, and has worked for me in the
> past. If it does not now, this is a bug that should be filed in ITS.
>
> I note the original poster is using back-meta, and I have never tested
> sasl-regexp with back-meta. It very well may never have worked. But
> certainly back-ldap did.

I only tried with back-ldap with mechs containing the credentials
(MD5, essentially), and they don't work, as expected.  That's what
I was referring to when speaking about mech dependent.  I never
tried with EXTERNAL or GSSAPI, so I can't speak about that.  I see
that everything about authz-regexp should work with back-ldap
(there's much about that in test028/test029) but the fact the
original poster fails when regexping from authz internal DN form to
actual user form seems to indicate that there's something SASL
related in that conversion.  I think at this point he should try
with back-ldap (even without proxy caching) and produce a full log
of the authz-regexp portion.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

Follow-Ups:
- Re: slapd-{ldap,meta} && authentication
  - From: "Pierangelo Masarati" <ando@sys-net.it>

References:
- slapd-{ldap,meta} && authentication
  - From: Turbo Fredriksson <turbo@bayour.com>
- Re: slapd-{ldap,meta} && authentication
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: slapd-{ldap,meta} && authentication
  - From: Howard Chu <hyc@symas.com>

Prev by Date: BINDDN in ldap.conf
Next by Date: RE: Crazy ldap attribute release policy
Index(es):
- Chronological
- Thread