[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Pass-through authentication to Active Directory when using saslbind
On 20 October 2013 09:26, Jesus Jr M Salvo <jesus.m.salvo@gmail.com> wrote:
>
>
>
>
> Hi there,
>
> I actually used that link / your example as the basis for my tests. Thanks
> for the info you published.
> From what I can summarise in your work, you have:
>
> 1) Pass-through authentication on one LDAP directory:
>
> LDAP Client ---simple BIND--> OpenLDAP ---sasl---> saslauthd ---simple
> BIND--> AD
>
> 2) PTA on several LDAP directories --- with meta backend
>
> LDAP Client ---sasl --- saslauthd --- simple BIND --> OpenLDAP ----simple
> BIND--> AD
>
> 3) PTA on several LDAP directories --- with ldap backend
>
> LDAP Client ---sasl --- saslauthd --- simple BIND --> OpenLDAP ----simple
> BIND--> AD
>
>
> However, the scenario that I want to achieve is that the client connecting
> to OpenLDAP must also use saslauthd, because that is the only way svnserve (
> Subversion ) can talk to an LDAP directory. Also, because I can only talk to
> AD2 using sasl bind and NOT simple bind, I also have to use saslauthd to
> talk to AD2.
>
> So what I really want to achieve is, using ASCII art / fixed width fonts:
>
> LDAP Client ( e.g. svnserve / testsaslauthd ) ---sasl ---> saslauthd ->
> OpenLDAP
>
> |------- sasl ---> saslauthd ---SASL BIND--> AD1
>
> \------- sasl ---> saslauthd ---SASL BIND--> AD2
>
> The user that needs to be authenticated from the LDAP client ( e.g. svnserve
> / testsaslauthd ) is on either AD1 or AD2.
>
> From what I can summarise, I will actually need three ( 3 ) saslauthd
> processes, with different unix sockets, and with diference saslauthd.conf.
>
> Is there a way for OpenLDAP to talk to another LDAP directory using SASL /
> DIGEST-MD5 without having to use saslauthd ?? So that, I only need one (1)
> saslauthd ( from svnserve to OpenLDAP ) ?
>
>
Sorry to the people list on the list ... I did not realise that gmail
was NOT sending plain/text until I read my message in the list
archive! ... I thought selecting "Remove Formatting" would send it as
plain/text, but I have to select "More Options" and select "Plain text
mode". Been a while since I used gmail to send to a mailing list.
Anyway, what I hope to achieve may not actually be possible ( PTA with
SASL bind ). That is because, the first thing that happens with SASL
bind, at least with DIGEST-MD5, is that:
1) LDAP client send bindRequest with mechanism ( no user or password
or realm is sent yet )
2) LDAP server returns the NONCE to the client ( bindInProgress )
3) LDAP client sends another bindRequest with the credentials (
username, realm, and the NONCE ) -- bindInProgress
4) LDAP server returns either a success or invalidCredentials
Therefore, the proxy will not know what backend the client really
wants to connect to until the [3] above.
Oh well.