[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxyAttrSet: Only using the LAST value

Let me elaborate a bit on this, although it might rather belong to -devel.

First of all: I'm developing/testing this using DIGEST-MD5 with plaintext
credentials stored in the directory (in the remote server).  I known
GSSAPI will work in a rather different manner, but part of this should
still apply.

What slapd with back-ldap currently does, when operations are attempted
with SASL binds, is:

- the SASL bind is handled by the frontend, which turns the SASL identity
into a DN via authz-regexp; if the DN is subordinate to the back-ldap
proxy, the proxy is used to retrieve the user's data from the remote
server, including the password.  For this purpose, the proxy binds as a
privileged user, and it can be instructed to use a SASL bind:

idassert-method sasl [params]

The above might need to be extended to allow SASL params specific to other
mechs, e.g. GSSAPI; I'm open to contributions in this sense.

- the subsequent operations are handled at the proxy side with the
client's identity; however, the remote server doesn't know the client
successfully authenticated at the proxy side, so the proxy asserts the
client's identity at the remote server by means of the proxyAuthz control;
in other words, when doing a search, the client is authenticated at the
proxy side, so the proxy trusts it and decides to assert its identity at
the remote server's side; use

idassert-mode self override

which means: assert the identity of the client ("self"), overriding the
original authentication ("orerride"); without "override", the proxy would
try to perform a simple bind as the original client, whose DN is available
since it was resolved by the SASL bind, but whose credentials are empty,
as they ought to.

For the purpose of identity assertion, the proxy and the remote server
must cooperate to some extent, i.e. the privileged identity the proxy uses
must be allowed, at the remote server's side, to authorize as the client's
identity (you won't let anybody authorize as the rootdn of the remote
server, for instance).

Note for users: the "override" feature is very recent, and the capability
to proxyAuthz SASL binds is really a last minute add-on.  Both of them are
not yet documented either in HEAD's slapd-ldap(5) or in the Identity
Assertion FAQ entry <http://www.openldap.org/faq/data/cache/532.html>;
they're on my todo list.


Pierangelo Masarati

    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497