On Thursday 22 February 2007 02:51, Quanah Gibson-Mount wrote:
--On Thursday, February 22, 2007 12:59 AM +0100 Pierangelo Masarati
ando@sys-net.it wrote:
Quanah Gibson-Mount wrote:
Sure. Which configuration do you want me to try it with? ;) Here is -d -1 with this config:
idassert-bind bindmethod=sasl saslmech=gssapi realm=stanford.edu authcID=service/mailrouter@stanford.edu
authzID=dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu
First of all, what's missing here is the "mode" parameter; what do you want the proxy to do? bind as "service/mailrouter@stanford.edu", SASL authorize as "dn:cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" and then? proxy authorize as the incoming request? just keep the "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" identity?
What I want for it to do is bind using the Krb5 ticket cache specified in slapd's environment, and use whatever identity gets *automatically* negotiated on the remote servers side. All this authcID and authZID stuff is really unnecessary, since the remote server handles it anyway.
Hm, if I understand you correctly, then you probably want to set "mode=none" in idassert-bind. The following config worked for me with OpenLDAP 2.3.33 proxying to an Active Directory:
idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
Note, that the idassert-authzFrom that I used will allow every user (even non-authenticated) to exploit the identity assertion feature. IIRC that means all queries against you proxy (regardless how they authenticated) will get to the proxied Server authenticated and authorized as the identity that is referenced in the Kerberos Ticket Cache that your proxy uses. At least that is how I interpreted the man-pages and how my test setup behaved.
So you probably want to restrict the idassert-authzFrom option in your enviroment.
What "service/mailrouter@stanford.edu" gets mapped to on the remote server IS "cn=mailrouter,cn=service,cn=applications,dc=stanford,dc=edu" by the authz-regexp rule on the remote server.