--On Thursday, February 22, 2007 3:17 PM +0100 Ralf Haferkamp rhafer@suse.de wrote:
Hm, if I understand you correctly, then you probably want to set "mode=none" in idassert-bind. The following config worked for me with OpenLDAP 2.3.33 proxying to an Active Directory:
idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
Note, that the idassert-authzFrom that I used will allow every user (even non-authenticated) to exploit the identity assertion feature. IIRC that means all queries against you proxy (regardless how they authenticated) will get to the proxied Server authenticated and authorized as the identity that is referenced in the Kerberos Ticket Cache that your proxy uses. At least that is how I interpreted the man-pages and how my test setup behaved.
So you probably want to restrict the idassert-authzFrom option in your enviroment.
That's actually exactly what I want. The system is restricted to local binds only, so it is fine for any connection to use the authzFrom.
I'm getting an error with this config, unfortunately.
sh-2.05b# cat /etc/ldap/slapd.conf # /etc/ldap/slapd.conf -- LDAP proxy slapd configuration file. # $Id$
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/krb5-kdc.schema include /etc/ldap/schema/suacct.schema
# Global Options
modulepath /usr/lib/ldap moduleload back_ldap.la
readonly on access to * by * read
# LDAP Proxy Options
database ldap suffix "dc=stanford,dc=edu" uri "ldap://ldap-test1.stanford.edu" idassert-authzFrom dn.regex:.* idassert-bind bindmethod=SASL saslmech=GSSAPI mode=none
which is:
Internal (implementation specific) error (80)
conn=0 op=1 SRCH base="dc=stanford,dc=edu" scope=2 deref=0 filter="(objectClass=*)" ==> limits_get: conn=0 op=1 dn="[anonymous]" ldap_create ldap_url_parse_ext(ldap://ldap-test1.stanford.edu) =>ldap_back_getconn: conn 0x81a1718 inserted refcnt=1 binding=1 ===>slap_sasl_match: comparing DN to rule dn.regex:.* slap_parseURI: parsing dn.regex:.* <===slap_sasl_match: comparison returned 0 ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP ldap-test1.stanford.edu:389 ldap_new_socket: 9 ldap_prepare_socket: 9 ldap_connect_to_host: Trying 171.64.11.148:389 ldap_connect_timeout: fd: 9 tm: -1 async: 0 ldap_int_sasl_open: host=ldap-test1.Stanford.EDU send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=80 matched="" text="" send_ldap_response: msgid=2 tag=101 err=80 ber_flush: 14 bytes to sd 8 0000: 30 0c 02 01 02 65 07 0a 01 50 04 00 04 00 0....e...P.... ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 50 04 00 04 00 0....e...P.... conn=0 op=1 SEARCH RESULT tag=101 err=80 nentries=0 text= daemon: activity on 1 descriptor daemon: activity on: 8r daemon: read activity on 8 connection_get(8) connection_get(8): got connid=0 connection_read(8): checking for input on id=0 ber_get_next ldap_read: want=8, got=7 0000: 30 05 02 01 03 42 00 0....B. ber_get_next: tag 0x30 len 5 contents: ber_dump: buf=0x081a1a38 ptr=0x081a1a38 end=0x081a1a3d len=5 0000: 02 01 03 42 00 ...B. ber_get_next ldap_read: want=8, got=0
ber_get_next on fd 8 failed errno=0 (Success) connection_read(8): input error=-2 id=0, closing. connection_closing: readying conn=0 sd=8 for close connection_close: deferring conn=0 sd=8 daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: waked daemon: select: listen=6 active_threads=0 tvp=NULL daemon: select: listen=7 active_threads=0 tvp=NULL do_unbind conn=0 op=2 UNBIND connection_resched: attempting closing conn=0 sd=8 connection_close: conn=0 sd=8 =>ldap_back_conn_destroy: fetching conn 0 daemon: removing 8 conn=0 fd=8 closed
On the remote server side, I see:
Feb 22 10:12:07 ldap-test1 slapd[20556]: conn=31708 fd=38 ACCEPT from IP=171.67.16.99:41602 (IP=0.0.0.0:389)
but no further steps in the negotiation process.
--Quanah
-- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html