[Date Prev][Date Next] [Chronological] [Thread] [Top]

not able to use idassert-bind successfuly



Dear members,

We are trying to create a LDAP proxy to hide two distinct AD servers
behind a "single LDAP view". The goal is to authentify and authorize
extranet and internal users using a single LDAP server, as LDAP clients
(eg Apache) should only talk to a single LDAP server, and not be aware
about the multiple AD servers behind the proxy.

Our understanding is that we can create a meta database with two
back-ends, using distinct uri/suffix/etc.

What works:

- using an AD user to talk to the proxy, which then is re-used by the
proxy to talk to the back-end

What does not work:

- one "front-end", simple-bind LDAP-user used to access the LDAP-proxy,
and only known to the proxy
- one back-end user per back-end (known in AD).

So we want to first search where a user is by using a front-end account,
and then retry a bind with the user's effective username and password
using its correct DN.

Our config:
--------------------------------------------------------------------
database        meta
suffix         dc=meta,dc=x1,dc=ch
uri         "ldaps://ad1.ad.x1.ch/OU=O3,dc=meta,dc=x1,dc=ch"
suffixmassage "OU=O3,dc=meta,dc=x1,dc=ch" "OU=O3,dc=ad,dc=x1,dc=ch"

idassert-authzFrom "dn:*"
idassert-bind
        bindmethod=simple
        tls_reqcert=allow
        binddn="CN=ldapsrvusr,OU=Service Accounts,OU=O3,dc=ad,dc=x1,dc=ch"
        credentials="abcdef12345"
--------------------------------------------------------------------

When we try to use idassert-bind above, we always get the following
error in the log:

...
535a1f25 conn=1000 op=1 <<< meta_search_dobind_init[0]=4
535a1f25 conn=1000 op=1 <<< meta_back_search_start[0]=4
535a1f25 conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
535a1f25 conn=1000 op=1 >>> meta_search_dobind_init[0]
535a1f25 conn=1000 op=1 meta_search_dobind_init[0] mc=0x7f17fc008ef0:
non-empty dn with empty cred; binding anonymously
...

so it looks our identity is never used beyond the proxy to talk to the AD.

help welcome.
TIA,
Charles