[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Proxy to "other directory server" with authentication?

Mark Colaluca wrote:

> I'm looking to set up a few OpenLDAP servers as pure query-only proxies
> (no update at this point) to our "other directory" servers we happen to
> use in our environment.  We'd like to keep the security settings we
> currently have on these "other directory" servers that only allows users
> with valid accounts on the said "other directory" server to query the
> server.  What would be the simplest, quickest configuration to achieve
> this?  Should I create a generic 'ldapuser' account on the "other
> directory" server and use those credentials every time?  Can I "pass" a
> user's credentials as part of my proxy request?
> I've read through the Admin Guide and the sample slapd.conf files, and
> I'm a little stumped as to how to proceed - I only made it as far as
> setting up the very basic proxy server.
> current slapd.conf
> ----------------------------
> database       ldap
> lastmod        off

^^^ this is no longer necessary (assuming you use 2.3 code)

> uri              
> "ldap://ouradserver.ourdomain.com:389/DC=ourdomain,DC=com";

^^^ the DN portion of the LDAP URL is not allowed

> suffix          "dc=ourdomain,dc=com"
> Thanks for any tips and pointers,

The possibility to proxy remote DSAs has been discussed many times on
the openldap-software mailing list.  It is not clear what you exactly
intend to do with respect to authentication.

If you plan to proxy requests by users that have an account on the
remote DSA, back-ldap does it by default, by proxying simple binds to
the remote DSA.

If you want back-ldap to proxy requests by users that don't have an
account on the remote DSA (which implies they have an account somewhere
else, other wise they wouldn't be users), then back-ldap can do it by
means of identity assertion with mode=self (see idassert-bind in
slapd-ldap(5)), which requires the remote DSA to support proxied
authorization (RFC4370).

On the contrary, if you mean that the proxy should fool the remote DSA
by using a (not too) privileged identity to proxy authenticated as well
as anonymous requests, then back-ldap can do it as well, again by means
of identity assertion with mode=none (see idassert-bind in
slapd-ldap(5)).  In this case, the remote DSA does not need to support
proxied authorization (RFC4370), but, to allow anonymous to be asserted,
you'll need to explicitly authorize it by using "idassert-authzFrom *"


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it