[Date Prev][Date Next]
RE: back-ldap & GSSAPI
--On Monday, September 15, 2003 5:22 PM -0700 Howard Chu
[mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
in reading the back-ldap man page, I don't see that it is
possible to proxy
via GSSAPI. In the case I'm looking at, we'd have a machine
that would have its own authcId. It would use that authcId
requests to get the information it wants from our openldap
servers. Am I
correct thinking this can't be done with back-ldap as it
Not entirely sure of what you mean by proxying, since it has two different
meanings that may be relevant here. But I'm fairly sure the answer for
2.1 is it can't be done.
back-ldap forwards requests using the same ID/credentials that it
received. This only works for simple binds. It could be made to work for
other mechanisms by way of the Proxy Authorization control. Perhaps this
would be a good feature to add in
a future release. Certainly I would prefer to see it behave this way; it
would make connection management much much simpler.
I'm not quite sure that would work for me either, in this case, but it
might. The systems are currently configured this way:
System A is the one the request originates from. It is on a VPN that can't
System B is on the VPN and the outside network. It would run back-ldap.
System C is our ldap servers setup.
A contacts B and authenticates via simple authentication.
B proxies the request using its authcId via SASL/GSSAPI to C.
C responds, everything flows back to A.
It may be possible to run Kerberos on A, and then just proxy its
credentials through, but I'll have to get further information from the
people running Systems A & B to know for sure. If so, your idea would
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html