[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-{ldap,meta} && authentication

> I'd like to have a local slapd on my mailserver (QmailLDAP/Controls)
> which is readable only through a socket (ldapi) to spead things up
> for Qmail (at least I HOPE that it's going to be faster :).
> I tried to have a COPY of the database (which is replicated from the
> master). This work exeptionally well (even though it's not THAT much
> faster - barely noticable).
> But I don't want to risk inconsistencies, so I was thinking CACHING
> PROXY instead. Which, if I read the manuals correctly, would be
> provided by 'meta', not 'ldap'.... ?
> I can get results from the proxy, but I don't get ALL of it when
> using my (Kerberos V) ticket (using SASL). This works when the local
> slapd is a COPY (I use almost the exact same config files for the
> to attempts)...
> What don't work is the sasl-regexp... From 'ldapwhoami', I get
>         dn:uid=turbo,cn=swe.net,cn=gssapi,cn=auth
> and not the 'expected' (which I get on the 'master').
>         dn:uid=turbo,ou=people,o=swe.net ab,c=se
> This is part of the slapd.conf on the slave:
> ----- s n i p -----
> database                ldap
> default-target          none
> suffix                  "c=SE"
> uri                     "ldap://master/c=SE";
> dncache-ttl             60
> lastmod                 off
> proxy-whoami
> rebind-as-user
> ----- s n i p -----
> On both the 'slave' and 'master', I have this sasl-regexp (in one
> place to much!?):
> ----- s n i p -----
> sasl-regexp
>         uid=(.*),cn=(.*),cn=(.*),cn=auth
>         ldap:///c=SE??sub?(krb5PrincipalName=$1@SWE.NET)
> sasl-regexp
>         email=(.*),cn=(.*),ou=(.*),o=(.*),c=(.*)
>         ldap:///ou=$3,o=$4,c=$5??sub?(&(cn=$2)(|(mail=$1)(mailAlternateAddress=$1)))
> ----- s n i p -----
> This works exactly as planed when slapd is using a 'bdb' backend, but
> not 'ldap' (or 'meta' for that matter).
> What am I missing? Note that I don't want _ANY_ rewriting
> or anything. The 'meta' slapd should match exactly the master...
> I'll be trying 'overlay' later to have the cache 'on file', but
> currently that gives me errors, so I'll stick to one problem at
> the time...
> I've been trying to check the mail archives but that doesn't
> show me ANYTHING that have to do with _authentication_, only
> _searches_...

Exactly.  You cannot perform SASL bind with back-ldap.  You're supposed to
use simple auth.  If you use HEAD code, you can have the proxy bind with
SASL to the remote server, and eventually proxyAuthz your local identity
(see idassert-* in HEAD's slapd-ldap(5)).  Note that proxying SASL auth
might be impossible, and at least mechanism dependent (as far as I
understand of SASL).


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497