[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain authentication bind configuration

Yeah that was my thought.  I've tried about a dozen different combinations
and I run into one problem..

First, rebind-as-user and chain-idassert-bind seem to only work properly
when I bind to openldap anonymously.

The other problem is that the user authentication can't be passed along
because this is essentially being built to provide access to two completely
separate active directory ldap servers for user authorization from a common
remote access platform.  We'd use radius, but radius in the case can't be
used for authorization, only authentication....

Basically I've hacked the active directory 2003 server to allow anonymous
bind and read in the cn=users,dc=domain,dc=local container to
unauthenticated users.  Unfortunately, I don't think my (government)
customer will want to do that in production.

Essentially I need to statically configure a bind DN and password in the
chain-idassert-bind that will be used for the connection back to the AD LDAP
server for the query.  Most of what I found in the documentation centers
around allowing bind users' authentication to be passed through the
connection so long as it matches a "bind allow access list".

It seems  that something in the "from/to" rules may apply, but I am just
having trouble getting my hands around exactly what the combination is.

When I do a tcpdump on the network, the chain is working.  The openldap
server actually makes a bind request to AD and follows the reference for the
client.  The problem is the bind is simple and empty (rfc definition for
anonymous bind).

I'll spend some more time this weekend tinkering, but if you can think of
any knobs I need to set I'd certainly welcome the help.


On 1/11/08 10:09 AM, "Gavin Henry" <ghenry@suretecsystems.com> wrote:

> Dave Stoll wrote:
>> I'm on 2.4.7
> I take it you are using the chain overlay?
> I think you can use chain-rebind-as-user and chain-idassert-bind
> man slapo-chain

Dave Stoll
echo mac | sed 's/^/dave.stoll@/;s/$/.com/'