Dieter Kluenter wrote:
Hi, I have some problems understanding strong binds and proxy authc with back-ldap. It seems that back-ldap is not passing the bind credentials to the remote server, thus only an anonymous bind is enforced. On the other hand, a ldapwhoami results in success
ldapwhoami doesn't use idassert, it binds and performs whoami exop on its own, eventually applying the proxyAuthz control if requested...
,----[ ldapwhoami on back-ldap ] | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004 | SASL/DIGEST-MD5 authentication started | SASL username: dieter | SASL SSF: 128 | SASL data security layer installed. | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de `----
while a ldapsearch results in no success
ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004 -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber
,----[ log with loglevel acl ] | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo | Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested | Slapd[7050]: => Acl_Mask: To All Values By "", (=0) | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De | Slapd[7050]: <= Check A_Dn_Pat: Users | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop) | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0 | Slapd[7050]: => Access_Allowed: No More Rules `----
the back-ldap configuration,
,----[ back-ldap slapd.conf ] | ..... | modulepath /opt/openldap/libexec/openldap | moduleload back_meta.la | moduleload back_ldap.la | moduleload pcache.la | moduleload rwm.la | authz-regexp uid=(.*),cn=.*,cn=auth | ldap:///dc=dkluenter,dc=de??sub?uid=$1 | | access to * by * read | database ldap | suffix dc=dkluenter,dc=de | rootdn cn=admin,dc=dkluenter,dc=de | uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager
^^^ you should use authcId=admanager (or whatever identity you want to use as the proxy identity) much like for acl-bind... With the above, as far as I understand, you sort of try to bind anonymously and authz as admanager, which is unlikely to succeed (but I think it's trapped earlier by the proxy and nothing is actually sent to the remote server with respect to identity assertion; then the failure at the server's side).
Hope this helps.
| authz=native | credentials=mailer | proxy-whoami yes | overlay rwm | rwm-rewriteEngine on | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de" | overlay pcache | proxycache bdb 10000 22 50 3600 | proxycachequeries 10000 | proxyattrset 0 mail telephonenumber | proxyattrset 1 mobile homephone | proxytemplate (sn=) 0 3600 | proxytemplate (cn=) 1 3600 | directory /opt/openldap/var/cache | cachesize 1000 | dbconfig set_cachesize 0 1048576 0 | index objectClass,queryid eq | index telephonenumber pres,eq | index cn,sn,mail pres,eq,sub | # | database monitor `----
the relevant access rules on the remote server
,----[ slapd.conf access rules ] | access to dn.subtree="ou=adressbuch,o=avci,c=de" | by dn.exact="cn=adManager,o=avci,c=de" write | by users read `----
Not to mention that the same search operation on the remote server is successful
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------