[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: not able to use idassert-bind successfuly

To: openldap-technical@openldap.org
Subject: Re: not able to use idassert-bind successfuly
From: Charles Bueche <cblists@bueche.ch>
Date: Mon, 05 May 2014 16:24:54 +0200
In-reply-to: <535A20BA.1020509@bueche.ch>
References: <535A20BA.1020509@bueche.ch>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

looks like I was fighting with bugs in my old openldap snapshot from
Ubuntu 12.04. Compiling and using the latest version works.

On 25.04.14 10:45, Charles Bueche wrote:
> Dear members,
>
> We are trying to create a LDAP proxy to hide two distinct AD servers
> behind a "single LDAP view". The goal is to authentify and authorize
> extranet and internal users using a single LDAP server, as LDAP clients
> (eg Apache) should only talk to a single LDAP server, and not be aware
> about the multiple AD servers behind the proxy.
>
> Our understanding is that we can create a meta database with two
> back-ends, using distinct uri/suffix/etc.
>
> What works:
>
> - using an AD user to talk to the proxy, which then is re-used by the
> proxy to talk to the back-end
>
> What does not work:
>
> - one "front-end", simple-bind LDAP-user used to access the LDAP-proxy,
> and only known to the proxy
> - one back-end user per back-end (known in AD).
>
> So we want to first search where a user is by using a front-end account,
> and then retry a bind with the user's effective username and password
> using its correct DN.
>
> Our config:
> --------------------------------------------------------------------
> database        meta
> suffix         dc=meta,dc=x1,dc=ch
> uri         "ldaps://ad1.ad.x1.ch/OU=O3,dc=meta,dc=x1,dc=ch"
> suffixmassage "OU=O3,dc=meta,dc=x1,dc=ch" "OU=O3,dc=ad,dc=x1,dc=ch"
>
> idassert-authzFrom "dn:*"
> idassert-bind
>         bindmethod=simple
>         tls_reqcert=allow
>         binddn="CN=ldapsrvusr,OU=Service Accounts,OU=O3,dc=ad,dc=x1,dc=ch"
>         credentials="abcdef12345"
> --------------------------------------------------------------------
>
> When we try to use idassert-bind above, we always get the following
> error in the log:
>
> ...
> 535a1f25 conn=1000 op=1 <<< meta_search_dobind_init[0]=4
> 535a1f25 conn=1000 op=1 <<< meta_back_search_start[0]=4
> 535a1f25 conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
> 535a1f25 conn=1000 op=1 >>> meta_search_dobind_init[0]
> 535a1f25 conn=1000 op=1 meta_search_dobind_init[0] mc=0x7f17fc008ef0:
> non-empty dn with empty cred; binding anonymously
> ...
>
> so it looks our identity is never used beyond the proxy to talk to the AD.
>
> help welcome.
> TIA,
> Charles

Prev by Date: slapd-ldap with translucent and rwm
Next by Date: idassert-authzFrom ignored
Index(es):
- Chronological
- Thread