[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: strong bind with back-ldap

To: openldap-software@openldap.org
Subject: Re: strong bind with back-ldap
From: "Dieter Kluenter" <dieter@dkluenter.de>
Date: Tue, 21 Aug 2007 18:01:49 +0200
In-reply-to: <46CAE25B.7020709@sys-net.it> (Pierangelo Masarati's message of "Tue, 21 Aug 2007 15:02:19 +0200")
References: <873aydku44.fsf@magenta.l4b.de> <46CAE25B.7020709@sys-net.it>
User-agent: Gnus/5.1006 (Gnus v5.10.6) XEmacs/21.5 (chestnut, linux)

Hello,

Pierangelo Masarati <ando@sys-net.it> writes:

> Dieter Kluenter wrote:

>> | uri             ldap://localhost:389
>> | acl-bind
>> |         bindmethod=sasl
>> |         saslmech=digest-md5
>> |         authcId=admanager
>> |         credentials=mailer
>> | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de
>> | idassert-bind
>> |         bindmethod=sasl
>> |         saslmech=digest-md5
>> |         authzId=u:admanager
>
> ^^^ you should use authcId=admanager (or whatever identity you want to
> use as the proxy identity) much like for acl-bind...  With the above, as
> far as I understand, you sort of try to bind anonymously and authz as
> admanager, which is unlikely to succeed (but I think it's trapped
> earlier by the proxy and nothing is actually sent to the remote server
> with respect to identity assertion; then the failure at the server's side).
>
> Hope this helps.

I used authcId already with no avail. I tested almost any possible
parameter combination.
On the remote server password assertion of admanager and dieter is
successful performed but after password assertion no bind operation
with any of those identities is performed.

,----[ password asertion  by admanager ]
| slapd[7079]: => slap_access_allowed: no res from state (userPassword)
| slapd[7079]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci
| ,c=de", attr "userPassword" requested
| slapd[7079]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) 
| slapd[7079]: <= check a_dn_pat: self
| slapd[7079]: <= check a_dn_pat: users
| slapd[7079]: <= acl_mask: [2] applying read(=rscxd) (stop)
| slapd[7079]: <= acl_mask: [2] mask: read(=rscxd)
| slapd[7079]: => slap_access_allowed: read access granted by read(=rscxd)
| slapd[7079]: => access_allowed: read access granted by read(=rscxd)
`----

,----[ anonymous search ]
| slapd[7079]: => acl_mask: access to entry "cn=Deszo Laszlo,ou=adressbuch,o=avci
| ,c=de", attr "sn" requested
| slapd[7079]: => acl_mask: to all values by "", (=0) 
| slapd[7079]: <= check a_dn_pat: cn=admanager,o=avci,c=de
| slapd[7079]: <= check a_dn_pat: users
| slapd[7079]: <= acl_mask: no more <who> clauses, returning =0 (stop)
| slapd[7079]: => slap_access_allowed: search access denied by =0
| slapd[7079]: => access_allowed: no more rules
`----

I have got the impression that  the idassert-bind parameters are never
passed to the remote server. If I disable acl-bind parameters and only
use idassert-bind parameters, back-ldap complains about 
SASL [conn=0] Failure: no secret in database 
but no connection is made to the remote server in order to verify the
credentials. 

I must admit that on the remote server I have successfully configured
sasl proxyauthentication by means of ldapdb. All I want to do, is to
put  back-ldap on a postfix server and use sasl auxprop ldapdb
against back-ldap.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6

References:
- strong bind with back-ldap
  - From: "Dieter Kluenter" <dieter@dkluenter.de>
- Re: strong bind with back-ldap
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: High availability
Next by Date: Re: strong bind with back-ldap
Index(es):
- Chronological
- Thread