[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
back-ldap: using sasl external authentication with ldapi:///
- To: openldap-software@openldap.org
- Subject: back-ldap: using sasl external authentication with ldapi:///
- From: Kartik Subbarao <subbarao@computer.org>
- Date: Wed, 17 Mar 2010 11:22:07 -0400
- User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091209 Fedora/3.0-4.fc12 Thunderbird/3.0
With 2.4.21, I'm trying to use SASL EXTERNAL authentication with a
back-ldap instance pointed to another ldap server listening on the same
host -- ldapi:///. Here is the config:
database ldap
suffix o=llnw
uri ldapi:///
rebind-as-user true
idassert-bind bindmethod=sasl saslmech=EXTERNAL
This doesn't seem to work, it just results in a plain anonymous bind
over ldapi:
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 fd=22 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 BIND dn="" method=128
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 RESULT tag=97 err=0
text=
[...]
I've tried the various mode= arguments and even tried setting
authcId/authzId, but ran into various errors. What I'm looking for is to
have all incoming anonymous connections be mapped to the equivalent of
this ldapsearch command:
ldapsearch -H ldapi:/// -Y EXTERNAL <...>
Which shows up in the slapd log like so:
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 fd=62 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND dn="" method=163
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND
authcid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth@LLNW.COM"
authzid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth@LLNW.COM"
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND
dn="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth"
mech=EXTERNAL sasl_ssf=0 ssf=112
Thanks,
-Kartik