[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a dumb proxy

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: Using back-ldap as a dumb proxy
From: Quanah Gibson-Mount <quanah@stanford.edu>
Date: Wed, 21 Feb 2007 15:04:09 -0800
Cc: openldap-software@openldap.org
Content-disposition: inline
In-reply-to: <45DCCD40.8070803@sys-net.it>
References: <6AD808AA2BF4BF6414038620@deus-ex.stanford.edu> <85B4097385A933A1E1C56B66@deus-ex.stanford.edu> <45DCCD40.8070803@sys-net.it>

--On Wednesday, February 21, 2007 11:52 PM +0100 Pierangelo Masarati <ando@sys-net.it> wrote:

Quanah Gibson-Mount wrote:

--On Wednesday, February 21, 2007 2:39 PM -0800 Quanah Gibson-Mount
<quanah@stanford.edu> wrote:

I'm trying to set up a very simply slapd that takes incoming requests
locally, and forwards them on to a remote server using SASL/GSSAPI to
get the information, so that a internal app that doesn't understand
SASL/GSSAPI can get the information it needs.

Never mind, I forgot to load the core schema. duh. :P

The proxy was a bit too dumb ;)


Heh.

The problem I'm having now, is I can't get it to perform SASL/GSSAPI auth to the remote proxy.

If I have:

# /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file.
# $Id$
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/suacct.schema
# Global Options

modulepath       /usr/lib/ldap
moduleload       back_ldap.la

readonly on
access to *
       by * read

# LDAP Proxy Options


database        ldap
suffix          "dc=stanford,dc=edu"
uri             "ldap://ldap-test1.stanford.edu";
idassert-bind  bindmethod=none

It correctly talks to the remote server with an anonymous bind. However, if I change things around:

idassert-bind   bindmethod=sasl
               saslmech=gssapi
               realm=stanford.edu
               authcID=proxy
               credentials=proxy
               mode=self


I get:

ldapsearch -LLL -x -h localhost -b "dc=stanford,dc=edu" uid=quanah
Inappropriate authentication (48)

The KRB5CCNAME is set in slapd's environment, so it has access to the ticket cache it needs to use to perform SASL/GSSAPI. It is not talking to the remote server at all.

Is there something here I'm missing?

I've also tried:

idassert-bind   bindmethod=sasl
               saslmech=gssapi
               realm=stanford.edu
               authcID=service/mailrouter@stanford.edu

authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu


But then I get:

Authentication method not supported (7)


And again, it didn't talk to the remote server.


Thanks,
Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

Follow-Ups:
- Re: Using back-ldap as a dumb proxy
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Using back-ldap as a dumb proxy
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Using back-ldap as a dumb proxy
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: Using back-ldap as a dumb proxy
Next by Date: Re: Using back-ldap as a dumb proxy
Index(es):
- Chronological
- Thread