[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Controlled LDAP Proxy/Relay

On 08/02/2012 09:58, W.Siebert@t-systems.com wrote:

Is it possible to implement the controlled proxy with OpenLDAP ?
E.g., like Radiusproxy based on realm: when username is _xxx@domain01.com_
<mailto:xxx@domain01.com>  go to the target1, and when username is
_xxx@domain99.net_<mailto:xxx@domain99.net>  go to the target2.

Yes, a combination of meta database config in slapd.conf and appropriate SASL config.

In your schema, use the following in userPassword:

userPassword: {SASL}xxx@DOMAIN

where DOMAIN is whichever domain the user needs to be authenticated against.

In slapd.conf:

database     meta
suffix       dc=local
rootdn       cn=administrator,dc=local
rootpw       secret

# domain01
uri   ldaps://domain01.com:3269/ou=domain01.com,dc=local
lastmod     off
suffixmassage  "ou=domain01.com=local" "dc=domain01,dc=com"

idassert-bind           bindmethod=simple

idassert-authzFrom      "dn.exact:cn=administrator,dc=local"

# domain02
uri   ldaps://domain02.com:3269/ou=domain02.com,dc=local
lastmod     off
suffixmassage  "ou=domain02.com=local" "dc=domain02,dc=com"

idassert-bind           bindmethod=simple

idassert-authzFrom      "dn.exact:cn=administrator,dc=local"

In saslauthd.conf you need to create the appropriate search base for authentication based on the domain in the userPassword field:

ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta
ldap_search_base: ou=%d,dc=local
ldap_filter: (sAMAccountName=%U)
ldap_auth_method: bind

ldap_bind_dn: cn=administrator,dc=local
ldap_password: secret

ldap_deref: never
ldap_use_sasl: no

Hopefully this is enough info to get you going.

Liam Gretton                                    liam.gretton@le.ac.uk
HPC Architect                                 http://www.le.ac.uk/its
IT Services                                   Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom