[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: chain + rebind-as-user

On Sun, 2005-10-02 at 04:02 +0400, Mitya wrote:
> Hi,
> I didn't manage to make it work.
> database        ldbm
> directory       /var/lib/ldap/foo
> suffix          ou=Foo
> rootdn          cn=Manager,ou=Foo
> overlay         chain
> chain-rebind-as-user    yes
> That "foo" database contains referrals pointing to the server that
> shares authentication info with this one. When I try authenticated
> search, referral chasing takes place, but slapd tries to chase them
> anonymously, without proper rebinding.
> Is there any obvious way to overcome this?
> Thank you!

I think that's not the way it works.  In fact, the proxy can rebind-as-
user if the proxy itself authenticated the user from scratch by
performing a simple bind and saving the DN and the credentials, but in
this case the "chain" overlay didn't have any chance to save the

If you're using 2.3 you can use identity assertion to instruct the
"chain" overlay to bind with some well-known identity and assert that of
the user by means of the proxyAuthz control.  Something like

database        ldbm
directory       /var/lib/ldap/foo
suffix          ou=Foo
rootdn          cn=Manager,ou=Foo
overlay         chain

where mode=self instructs the "chain" overlay to proxyAuthz with the
identity of the original operation.  The remote server must understand
proxyAuthz, and "cn=Proxy" must be allowed to authz as the users you
intend to authorize.  Note that the identity you specify must be known
to all the URIs that may be returned as referrals, since there is no
way to specify an identity based on the URI.  This would be useful, and
might be implemented in view of the strengthening of the "chain"
overlay I'm planning.

Since you're using back-ldbm, I suspect you're not ready for 2.3 yet...


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497