*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email ***
I've been racking my brains trying to understand the syntax of
idassert-bind.
In my current setup I have a local bdb database with some users and the
base entry for the tree. I have a meta database that is subordinate to
the bdb database.
If I bind to the proxy as root, and search for anything, with any base
(within the tree) openldap will bind to the relevant targets using the
credentials defined in the idassert-bind directives.
If I bind to the proxy as a user that exists locally (within the bdb
database) but not in any of the targets, openldap will bind to the
targets anonymously using the dn defined in idassert-bind but no
password.
If I bind to the proxy as a user that exists in one of the targets, it
will bind to that target with the supplied credentials, and bind
anonymously using the dn defined in idassert-bind to all other targets
within scope.
Ideally, I would like the following situation:
If a user binds with local credentials, openldap should bind to the
targets with the credentials supplied with idassert-bind.
If a user binds with remote credentials, openldap should bind to that
target with the credentials supplied by the user, and either bind to the
other targets using the pre-defined credentials OR not attempt to bind
to those targets.
I have tried using 'flags=override', which works well to solve the
local user problem. However if a user binds with remote credentials,
openldap will first bind with those credentials, then rebind with the
pre-defined credentials. The problem here is that the predefined
credentials may not have the same privileges as the supplied
credentials.
Here's something like my slapd.conf...
require authc
access to *
by dn="cn=user a,dc=example,dc=com" read
by dn="cn=user b,dc=example,dc=com" read
by * auth
access to dn.sub="dc=target a,dc=meta,dc=example,dc=com"
by dn="cn=user a,dc=example,dc=com" write
by self write
# Meta Database
database meta
suffix "dc=meta,dc=example,dc=com"
subordinate
rootdn "cn=root,dc=example,dc=com"
## Target A
uri "ldap://192.168.1.10/dc=target a,dc=meta,dc=example,dc=com"
idassert-bind bindmethod=simple
binddn="cn=ldapproxy,o=example"
credentials="secret"
mode=none
idassert-authzFrom "dn:*"
rewriteEngine on
suffixmassage "dc=target a,dc=meta,dc=example,dc=com" "o=example"
## Target B
uri "ldap://192.168.1.20/dc=target b,dc=meta,dc=example,dc=com"
idassert-bind bindmethod=simple
binddn="cn=ldapproxy,dc=another,dc=com"
credentials="secret"
mode=none
idassert-authzFrom "dn:*"
rewriteEngine on
suffixmassage "dc=target b,dc=meta,dc=example,dc=com"
"dc=another,dc=com"
# Local bdb database
database bdb
suffix "dc=example,dc=com"
directory /usr/local/var/openldap-data/example-base/
rootdn "cn=root,dc=example,dc=com"
rootpw "secret"
index objectclass eq
index cn,sn eq,sub
Thankyou for taking the time to read this, any help would be greatly
appreciated.
Best Regards,
Drew
Andrew Graham
ICT
AgustaWestland UK
Tel No: +44 (0) 1935 70 4421
andrew.graham(a)agustawestland.com
*** Disclaimer ***
The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s).
For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful.
If received in error please return to sender immediately.
Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.
Westland Helicopters Ltd
Lysander Road
Yeovil BA20 2YB
England
Registered in England under No 604352