[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a dumb proxy





--On Thursday, February 22, 2007 3:17 PM +0100 Ralf Haferkamp <rhafer@suse.de> wrote:



Hm, if I understand you correctly, then you probably want to set
"mode=none"  in idassert-bind. The following config worked for me with
OpenLDAP 2.3.33  proxying to an Active Directory:

idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=SASL
    saslmech=GSSAPI
    mode=none

Note, that the idassert-authzFrom that I used will allow every user (even
non-authenticated) to exploit the identity assertion feature. IIRC that
means  all queries against you proxy (regardless how they authenticated)
will get to  the proxied Server authenticated and authorized as the
identity that is  referenced in the Kerberos Ticket Cache that your proxy
uses. At least that  is how I interpreted the man-pages and how my test
setup behaved.

So you probably want to restrict the idassert-authzFrom option in your
enviroment.

That's actually exactly what I want. The system is restricted to local binds only, so it is fine for any connection to use the authzFrom.


I'm getting an error with this config, unfortunately.

sh-2.05b# cat /etc/ldap/slapd.conf
# /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file.
# $Id$

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/krb5-kdc.schema
include /etc/ldap/schema/suacct.schema

# Global Options

modulepath       /usr/lib/ldap
moduleload       back_ldap.la

readonly on
access to *
       by * read

# LDAP Proxy Options


database ldap suffix "dc=stanford,dc=edu" uri "ldap://ldap-test1.stanford.edu"; idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none



which is:

Internal (implementation specific) error (80)


conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 filter="(objectClass=*)"
==> limits_get: conn=0 op=1 dn="[anonymous]"
ldap_create
ldap_url_parse_ext(ldap://ldap-test1.stanford.edu)
=>ldap_back_getconn: conn 0x81a1718 inserted refcnt=1 binding=1
===>slap_sasl_match: comparing DN to rule dn.regex:.*
slap_parseURI: parsing dn.regex:.*
<===slap_sasl_match: comparison returned 0
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap-test1.stanford.edu:389
ldap_new_socket: 9
ldap_prepare_socket: 9
ldap_connect_to_host: Trying 171.64.11.148:389
ldap_connect_timeout: fd: 9 tm: -1 async: 0
ldap_int_sasl_open: host=ldap-test1.Stanford.EDU
send_ldap_result: conn=0 op=1 p=3
send_ldap_result: err=80 matched="" text=""
send_ldap_response: msgid=2 tag=101 err=80
ber_flush: 14 bytes to sd 8
0000: 30 0c 02 01 02 65 07 0a 01 50 04 00 04 00 0....e...P....
ldap_write: want=14, written=14
0000: 30 0c 02 01 02 65 07 0a 01 50 04 00 04 00 0....e...P....
conn=0 op=1 SEARCH RESULT tag=101 err=80 nentries=0 text=
daemon: activity on 1 descriptor
daemon: activity on: 8r
daemon: read activity on 8
connection_get(8)
connection_get(8): got connid=0
connection_read(8): checking for input on id=0
ber_get_next
ldap_read: want=8, got=7
0000: 30 05 02 01 03 42 00 0....B.
ber_get_next: tag 0x30 len 5 contents:
ber_dump: buf=0x081a1a38 ptr=0x081a1a38 end=0x081a1a3d len=5
0000: 02 01 03 42 00 ...B.
ber_get_next
ldap_read: want=8, got=0


ber_get_next on fd 8 failed errno=0 (Success)
connection_read(8): input error=-2 id=0, closing.
connection_closing: readying conn=0 sd=8 for close
connection_close: deferring conn=0 sd=8
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
daemon: activity on 1 descriptor
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=NULL
daemon: select: listen=7 active_threads=0 tvp=NULL
do_unbind
conn=0 op=2 UNBIND
connection_resched: attempting closing conn=0 sd=8
connection_close: conn=0 sd=8
=>ldap_back_conn_destroy: fetching conn 0
daemon: removing 8
conn=0 fd=8 closed



On the remote server side, I see:

Feb 22 10:12:07 ldap-test1 slapd[20556]: conn=31708 fd=38 ACCEPT from IP=171.67.16.99:41602 (IP=0.0.0.0:389)


but no further steps in the negotiation process.

--Quanah


-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html