[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Forcing TLS, but keep working SASL authentication

To: Dan White <dwhite@olp.net>
Subject: Re: Forcing TLS, but keep working SASL authentication
From: Wiebe Cazemier <wiebe@halfgaar.net>
Date: Fri, 4 Jan 2013 13:22:23 +0100 (CET)
Cc: openldap-technical@openldap.org
In-reply-to: <20121231172128.GF6619@dan.olp.net>
References: <916270750.16916.1356963720126.JavaMail.root@halfgaar.net> <2140823563.16975.1356965823423.JavaMail.root@halfgaar.net> <20121231172128.GF6619@dan.olp.net>
Thread-index: KN4F8cwHbjq14zAgoTYX03IZzJrL/g==
Thread-topic: Forcing TLS, but keep working SASL authentication

----- Original Message -----
> From: "Dan White" <dwhite@olp.net>
> To: "Wiebe Cazemier" <wiebe@halfgaar.net>
> Cc: openldap-technical@openldap.org
> Sent: Monday, 31 December, 2012 6:21:28 PM
> Subject: Re: Forcing TLS, but keep working SASL authentication
> 
> You can apply olcSecurity to a specific database as well (see man
> slapd-config). Configuring olcSecurity: tls=0 on
> olcDatabase={0}config,cn=config should have the intended behavior, if
> you
> only ever modify your config via ldapi:///.
> 
> >Inspecting all DB's with "ldapsearch -LLL -Y EXTERNAL -H ldapi:///
> >-b
> >cn=config", it appears the config DB's have an olcAccess rule like:
> >
> >
> >olcAccess: {0}to * by
> >dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> >manage by * break
> 
> Consider creating an authz-regexp to map:
> 
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> 
> to your olcRootDN below. Your above ACL is not necessary in that
> case,
> since your root dn will bypass any ACL restrictions.
> 
> >gid and uid = 0, so I guess it's the system's root account.
> >
> >I tried adding an olcRootDN and olcRootPW to
> >olcDatabase={0}config,cn=config so that I could modify the
> >cn=config, but
> >adding them gave an error: "<olcRootPW> can only be set when rootdn
> >is
> >under suffix". When I tried adding olcSuffix to "dc=domain,dc=tld",
> >it
> >said: "<olcSuffix> handler exited with 1". I also tried specifying a
> >olcRootDN only (no olcRootPW) (like cn=admin,dc=domain,dc=tld) and
> >then
> >add that user to "dc=domain,dc=tld", but it didn't work.
> >Unfortunately, I
> >don't remember what went wrong.
> 
> If you're performing EXTERNAL sasl authentication over ldapi:///, you
> won't
> need a olcRootPW, but you will need an authz-regexp.
> 
> I don't believe olcRootDN will need to exist, underneath
> dc=domain,dc=tld,
> in that case.
> 
> --
> Dan White
> 

So even if you set tls=0 on olcDatabase={0}config,cn=config, you need that authz-regexp? Because I just set tls=0, and "-Y EXTERNAL" over ldapi:/// is now complaining about requiring TLS again.

Unfortunately, I'm pretty new to LDAP, so I don't know how to define that authz-regexp. I don't what a regex is, of course, I just don't know what to tell the LDAP server...

Follow-Ups:
- Re: Forcing TLS, but keep working SASL authentication
  - From: Wiebe Cazemier <wiebe@halfgaar.net>

Prev by Date: Re: Fwd: Multi-Master OpenLDAP Replication for 3 nodes -- slapadd command failing
Next by Date: Re: Forcing TLS, but keep working SASL authentication
Index(es):
- Chronological
- Thread