[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain authentication bind configuration

Dave Stoll wrote:
Yeah that was my thought.  I've tried about a dozen different combinations
and I run into one problem..

First, rebind-as-user and chain-idassert-bind seem to only work properly
when I bind to openldap anonymously.

Have a look at mode and flags in "man slapd-ldap", test032-chain and tests/data/slapd-chain*.conf

The other problem is that the user authentication can't be passed along because this is essentially being built to provide access to two completely separate active directory ldap servers for user authorization from a common remote access platform. We'd use radius, but radius in the case can't be used for authorization, only authentication....

Basically I've hacked the active directory 2003 server to allow anonymous
bind and read in the cn=users,dc=domain,dc=local container to
unauthenticated users.  Unfortunately, I don't think my (government)
customer will want to do that in production.

Essentially I need to statically configure a bind DN and password in the
chain-idassert-bind that will be used for the connection back to the AD LDAP
server for the query.  Most of what I found in the documentation centers
around allowing bind users' authentication to be passed through the
connection so long as it matches a "bind allow access list".

It seems  that something in the "from/to" rules may apply, but I am just
having trouble getting my hands around exactly what the combination is.

When I do a tcpdump on the network, the chain is working.  The openldap
server actually makes a bind request to AD and follows the reference for the
client.  The problem is the bind is simple and empty (rfc definition for
anonymous bind).

I'll spend some more time this weekend tinkering, but if you can think of
any knobs I need to set I'd certainly welcome the help.


On 1/11/08 10:09 AM, "Gavin Henry" <ghenry@suretecsystems.com> wrote:

Dave Stoll wrote:
I'm on 2.4.7

I take it you are using the chain overlay?

I think you can use chain-rebind-as-user and chain-idassert-bind

man slapo-chain

Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).