[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP proxy, identity assertion and suffix massage

To: openldap-technical@openldap.org
Subject: OpenLDAP proxy, identity assertion and suffix massage
From: Clément OUDOT <clem.oudot@gmail.com>
Date: Mon, 29 Aug 2011 17:55:32 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=uuW7JjP3JU6rtmbGWI0Ve1zusGiQPlMPLlK+d/50eMw=; b=S5qEqez+ZKseMUEdmbe5Kg4ReJmjpPeq4kew/QKh88VaRnGe8ZEPXMi+zcxPMM1fUx KJHQnfgm1ShK7oAP1rsJxzqc6JMg1zxTFQwjgZgU+x/AQhEk/HgSgrx6bAsyVNFAvdFZ JznL5sIqqqh5vvpTkDlEgBRUSWwqVBpOHKM1o=

Hello,

I am using OpenLDAP 2.4.26 on GNU/Linux. I would like to configure a
simple proxy with identity assertion and suffix massage and assert
identity for the rootdn of my LDAP backend, to match the rootdn of the
proxied backend (on port 390).

Here is my configuration :

------------
database        ldap
suffix          "ou=am,dc=local"
rootdn "cn=manager,ou=am,dc=local"
rootpw secretproxy

uri ldap://127.0.0.1:390

idassert-bind bindmethod=simple
   binddn="cn=admin,dc=example,dc=com"
   credentials="secret"
   mode=none
idassert-authzFrom "dn.exact:cn=manager,ou=am,dc=local"

overlay rwm
rwm-suffixmassage   "ou=am,dc=local" "dc=example,dc=com"
------------


When I try to authenticate with "cn=manager,ou=am,dc=local" on the
proxy, the bind is forwarded to the proxied directory directly, as
"cn=manager,dc=example,dc=com". It seems the rwm overlay has done the
substitution, so the idassert-authzFrom does not match. This ended
with an LDAP error 48, as we can see here:

------------
>>> dnPrettyNormal: <cn=manager,ou=am,dc=local>
=> ldap_bv2dn(cn=manager,ou=am,dc=local,0)
<= ldap_bv2dn(cn=manager,ou=am,dc=local)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,ou=am,dc=local)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,ou=am,dc=local)=0
<<< dnPrettyNormal: <cn=manager,ou=am,dc=local>, <cn=manager,ou=am,dc=local>
conn=1001 op=0 BIND dn="cn=manager,ou=am,dc=local" method=128
do_bind: version=3 dn="cn=manager,ou=am,dc=local" method=128
==> rewrite_context_apply [depth=1] string='cn=manager,ou=am,dc=local'
==> rewrite_rule_apply rule='((.+),)?ou=am,[ ]?dc=local$'
string='cn=manager,ou=am,dc=local' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'cn=manager,dc=example,dc=com'}
[rw] bindDN: "cn=manager,ou=am,dc=local" -> "cn=manager,dc=example,dc=com"
>>> dnPrettyNormal: <cn=manager,dc=example,dc=com>
=> ldap_bv2dn(cn=manager,dc=example,dc=com,0)
<= ldap_bv2dn(cn=manager,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=manager,dc=example,dc=com)=0
<<< dnPrettyNormal: <cn=manager,dc=example,dc=com>,
<cn=manager,dc=example,dc=com>
===>slap_sasl_match: comparing DN cn=manager,dc=example,dc=com to rule
dn:cn=manager,ou=am,dc=local
slap_parseURI: parsing dn:cn=manager,ou=am,dc=local
<===slap_sasl_match: comparison returned 48
send_ldap_result: conn=1001 op=0 p=3
send_ldap_result: err=48 matched="" text=""
send_ldap_response: msgid=1 tag=97 err=48
------------


Do you have any suggestion for using the idassert-authzFrom parameter
with the suffixmassage?


Thanks for your help,

Clément.

Prev by Date: Re: sudoers: not able to execute commands with sudo
Next by Date: RE: sudoers: not able to execute commands with sudo
Index(es):
- Chronological
- Thread