[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#7807) rebind-as-user in slapd-meta not running

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#7807) rebind-as-user in slapd-meta not running
From: pierangelo.masarati@polimi.it
Date: Fri, 28 Feb 2014 20:24:22 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

On 02/28/2014 11:00 AM, theedgeu2@live.com wrote:
> Full_Name: Angel Martinez
> Version: 2.4.39
> OS: Red Hat Linux 6.4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (217.71.18.36)
>
>
> I'm trying to configure a LDAP proxy with slapd-meta.
>
> I have several suffixs over several instances that shares the same user
> accounts. It's posible that one user had access to several targets.
>
> The targets are:
>
> * Users: ou=users, dc=test, dc=com (here resides all accounts)
>
> * Target1: ou=target1, dc=test, dc=com
>
> * Target2: ou=target2, dc=test, dc=com
>
> These 3 suffix are on 3 differents instances.
>
> The instances where target1 and target2 are also have another suffix: ou=users,
> dc=test, dc=com. This suffix is replicated from the first instance (Users)
>
> Normally, the users connect throught the proxy, but sometimes will connect
> directly to the others instances.
>
> Basically this is the slapd.conf of the proxy:
>
> database meta
> chase-referrals yes
> rebind-as-user  yes
>
> suffix   "ou=users,dc=test,dc=com"
> uri      "ldap://192.168.1.34:3891/ou=users,dc=test,dc=com";
>
> suffix   "ou=target1,dc=test,dc=com"
> uri      "ldap://192.168.1.34:3892/ou=target1,dc=test,dc=com";
>
> suffix   "ou=target2,dc=test,dc=com"
> uri      "ldap://192.168.1.34:3893/ou=target2,dc=test,dc=com";
>
> When a user connects to the proxy with cn=user1,ou=users,dc=test,dc=com, the
> user is validated against the first target (ou=users) and can search over this
> suffix, but if this user try to search something over other target (for example
> ou=target1) the proxy does not use the credentials of the user and do an
> anonymous bind to target1, so the search doesn't run.
>
> I thought that rebind-as-user resolve this but doesn't run.
>
> I've tried using idassert-bind mode=self bindmethod=simple
> binddn="cn=adminuser,ou=users,dc=test,dc=com" credentials="password" and runs
> ok, but I prefer not to use an administrative account to connect the proxy with
> the targets.
>
> Is there something I'm missing?

Yes, you did not read slapd-meta(5) man page.  rebind-as-user is used in 
a totally different context.  What you need is idassert-bind.


Please direct further conversation to <openldap-technical@openldap.org>. 
  This ITS will be closed.

p.


-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano

Prev by Date: (ITS#7808)
Next by Date: Re: (ITS#7801) test033-glue-syncrepl with bdb/hdb gets stuck on ppc64
Index(es):
- Chronological
- Thread