[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain authentication bind configuration

This worked perfect.  The flag "non-prescriptive" was exactly what I needed
to statically-force the binddn for the chain.  The end use for this is an
LDAP server which acts as a "superroot" tree for multiple active directory
systems in an 802.1x switch authorization service.

Thanks for your help Gavin.

On 1/11/08 11:39 AM, "Gavin Henry" <ghenry@suretecsystems.com> wrote:

> Dave Stoll wrote:
>> Yeah that was my thought.  I've tried about a dozen different combinations
>> and I run into one problem..
>> First, rebind-as-user and chain-idassert-bind seem to only work properly
>> when I bind to openldap anonymously.
> Have a look at mode and flags in "man slapd-ldap", test032-chain and
> tests/data/slapd-chain*.conf
>> The other problem is that the user authentication can't be passed along
>> because this is essentially being built to provide access to two completely
>> separate active directory ldap servers for user authorization from a common
>> remote access platform.  We'd use radius, but radius in the case can't be
>> used for authorization, only authentication....
>> Basically I've hacked the active directory 2003 server to allow anonymous
>> bind and read in the cn=users,dc=domain,dc=local container to
>> unauthenticated users.  Unfortunately, I don't think my (government)
>> customer will want to do that in production.
>> Essentially I need to statically configure a bind DN and password in the
>> chain-idassert-bind that will be used for the connection back to the AD LDAP
>> server for the query.  Most of what I found in the documentation centers
>> around allowing bind users' authentication to be passed through the
>> connection so long as it matches a "bind allow access list".
>> It seems  that something in the "from/to" rules may apply, but I am just
>> having trouble getting my hands around exactly what the combination is.
>> When I do a tcpdump on the network, the chain is working.  The openldap
>> server actually makes a bind request to AD and follows the reference for the
>> client.  The problem is the bind is simple and empty (rfc definition for
>> anonymous bind).
>> I'll spend some more time this weekend tinkering, but if you can think of
>> any knobs I need to set I'd certainly welcome the help.
>> Cheers,
>> Dave
>> On 1/11/08 10:09 AM, "Gavin Henry" <ghenry@suretecsystems.com> wrote:
>>> Dave Stoll wrote:
>>>> I'm on 2.4.7
>>> I take it you are using the chain overlay?
>>> I think you can use chain-rebind-as-user and chain-idassert-bind
>>> man slapo-chain

Dave Stoll
echo mac | sed 's/^/dave.stoll@/;s/$/.com/'