[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a dumb proxy

To: openldap-software@openldap.org
Subject: Re: Using back-ldap as a dumb proxy
From: Ralf Haferkamp <rhafer@suse.de>
Date: Thu, 22 Feb 2007 15:17:33 +0100
Content-disposition: inline
In-reply-to: <7D31D25F66E34970766A0595@SW-90-717-287-3.stanford.edu>
References: <6AD808AA2BF4BF6414038620@deus-ex.stanford.edu> <45DCDCF9.2060304@sys-net.it> <7D31D25F66E34970766A0595@SW-90-717-287-3.stanford.edu>
User-agent: KMail/1.9.5

On Thursday 22 February 2007 02:51, Quanah Gibson-Mount wrote:
> --On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati
>
> <ando@sys-net.it> wrote:
> > Quanah Gibson-Mount wrote:
> >> Sure.  Which configuration do you want me to try it with? ;)  Here is -d
> >> -1 with this config:
> >>
> >> idassert-bind   bindmethod=sasl
> >>                saslmech=gssapi
> >>                realm=stanford.edu
> >>                authcID=service/mailrouter@stanford.edu
> >>
> >> authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
> >
> > First of all, what's missing here is the "mode" parameter; what do you
> > want the proxy to do?  bind as "service/mailrouter@stanford.edu", SASL
> > authorize as
> > "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and
> > then?  proxy authorize as the incoming request?  just keep the
> > "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
>
> What I want for it to do is bind using the Krb5 ticket cache specified in
> slapd's environment, and use whatever identity gets *automatically*
> negotiated on the remote servers side.  All this authcID and authZID stuff
> is really unnecessary, since the remote server handles it anyway.
Hm, if I understand you correctly, then you probably want to set "mode=none" 
in idassert-bind. The following config worked for me with OpenLDAP 2.3.33 
proxying to an Active Directory:

idassert-authzFrom dn.regex:.*
idassert-bind bindmethod=SASL
    saslmech=GSSAPI
    mode=none

Note, that the idassert-authzFrom that I used will allow every user (even 
non-authenticated) to exploit the identity assertion feature. IIRC that means 
all queries against you proxy (regardless how they authenticated) will get to 
the proxied Server authenticated and authorized as the identity that is 
referenced in the Kerberos Ticket Cache that your proxy uses. At least that 
is how I interpreted the man-pages and how my test setup behaved.

So you probably want to restrict the idassert-authzFrom option in your 
enviroment.

> What "service/mailrouter@stanford.edu" gets mapped to on the remote server
> IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the
> authz-regexp rule on the remote server.

-- 
Ralf Haferkamp
SUSE LINUX Products GmbH, Maxfeldstrasse 5, D-90409 Nuernberg
T: +49-911-74053-0
F: +49-911-74053575 - Ralf.Haferkamp@suse.com

Follow-Ups:
- Re: Using back-ldap as a dumb proxy
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- Using back-ldap as a dumb proxy
  - From: Quanah Gibson-Mount <quanah@stanford.edu>
- Re: Using back-ldap as a dumb proxy
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Using back-ldap as a dumb proxy
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

Prev by Date: Re: multiple replog?
Next by Date: Re: Creating a virtual DIT?
Index(es):
- Chronological
- Thread