Mark Colaluca wrote:
I'm looking to set up a few OpenLDAP servers as pure query-only proxies (no update at this point) to our "other directory" servers we happen to use in our environment. We'd like to keep the security settings we currently have on these "other directory" servers that only allows users with valid accounts on the said "other directory" server to query the server. What would be the simplest, quickest configuration to achieve this? Should I create a generic 'ldapuser' account on the "other directory" server and use those credentials every time? Can I "pass" a user's credentials as part of my proxy request?
I've read through the Admin Guide and the sample slapd.conf files, and I'm a little stumped as to how to proceed - I only made it as far as setting up the very basic proxy server.
current slapd.conf
database ldap lastmod off
^^^ this is no longer necessary (assuming you use 2.3 code)
uri "ldap://ouradserver.ourdomain.com:389/DC=ourdomain,DC=com"
^^^ the DN portion of the LDAP URL is not allowed
suffix "dc=ourdomain,dc=com"
Thanks for any tips and pointers,
The possibility to proxy remote DSAs has been discussed many times on the openldap-software mailing list. It is not clear what you exactly intend to do with respect to authentication.
If you plan to proxy requests by users that have an account on the remote DSA, back-ldap does it by default, by proxying simple binds to the remote DSA.
If you want back-ldap to proxy requests by users that don't have an account on the remote DSA (which implies they have an account somewhere else, other wise they wouldn't be users), then back-ldap can do it by means of identity assertion with mode=self (see idassert-bind in slapd-ldap(5)), which requires the remote DSA to support proxied authorization (RFC4370).
On the contrary, if you mean that the proxy should fool the remote DSA by using a (not too) privileged identity to proxy authenticated as well as anonymous requests, then back-ldap can do it as well, again by means of identity assertion with mode=none (see idassert-bind in slapd-ldap(5)). In this case, the remote DSA does not need to support proxied authorization (RFC4370), but, to allow anonymous to be asserted, you'll need to explicitly authorize it by using "idassert-authzFrom *"
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------