Re: (ITS#7807) rebind-as-user in slapd-meta not running - openldap-bugs

28 Feb 2014


      On 02/28/2014 11:00 AM, theedgeu2@live.com wrote:
...
Full_Name: Angel Martinez
Version: 2.4.39
OS: Red Hat Linux 6.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (217.71.18.36)
I'm trying to configure a LDAP proxy with slapd-meta.
I have several suffixs over several instances that shares the same user
accounts. It's posible that one user had access to several targets.
The targets are:

Users: ou=users, dc=test, dc=com (here resides all accounts)

Target1: ou=target1, dc=test, dc=com

Target2: ou=target2, dc=test, dc=com


These 3 suffix are on 3 differents instances.
The instances where target1 and target2 are also have another suffix: ou=users,
dc=test, dc=com. This suffix is replicated from the first instance (Users)
Normally, the users connect throught the proxy, but sometimes will connect
directly to the others instances.
Basically this is the slapd.conf of the proxy:
database meta
chase-referrals yes
rebind-as-user  yes
suffix   "ou=users,dc=test,dc=com"
uri      "ldap://192.168.1.34:3891/ou=users,dc=test,dc=com"
suffix   "ou=target1,dc=test,dc=com"
uri      "ldap://192.168.1.34:3892/ou=target1,dc=test,dc=com"
suffix   "ou=target2,dc=test,dc=com"
uri      "ldap://192.168.1.34:3893/ou=target2,dc=test,dc=com"
When a user connects to the proxy with cn=user1,ou=users,dc=test,dc=com, the
user is validated against the first target (ou=users) and can search over this
suffix, but if this user try to search something over other target (for example
ou=target1) the proxy does not use the credentials of the user and do an
anonymous bind to target1, so the search doesn't run.
I thought that rebind-as-user resolve this but doesn't run.
I've tried using idassert-bind mode=self bindmethod=simple
binddn="cn=adminuser,ou=users,dc=test,dc=com" credentials="password" and runs
ok, but I prefer not to use an administrative account to connect the proxy with
the targets.
Is there something I'm missing?
Yes, you did not read slapd-meta(5) man page.  rebind-as-user is used in 
a totally different context.  What you need is idassert-bind.
Please direct further conversation to openldap-technical@openldap.org. 
  This ITS will be closed.
p.
-- 
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano