Hello,
Pierangelo Masarati ando@sys-net.it writes:
Dieter Kluenter wrote:
| uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager
^^^ you should use authcId=admanager (or whatever identity you want to use as the proxy identity) much like for acl-bind... With the above, as far as I understand, you sort of try to bind anonymously and authz as admanager, which is unlikely to succeed (but I think it's trapped earlier by the proxy and nothing is actually sent to the remote server with respect to identity assertion; then the failure at the server's side).
Hope this helps.
I used authcId already with no avail. I tested almost any possible parameter combination. On the remote server password assertion of admanager and dieter is successful performed but after password assertion no bind operation with any of those identities is performed.
,----[ password asertion by admanager ] | slapd[7079]: => slap_access_allowed: no res from state (userPassword) | slapd[7079]: => acl_mask: access to entry "cn=Dieter Kluenter,ou=Partner,o=avci | ,c=de", attr "userPassword" requested | slapd[7079]: => acl_mask: to value by "cn=admanager,o=avci,c=de", (=0) | slapd[7079]: <= check a_dn_pat: self | slapd[7079]: <= check a_dn_pat: users | slapd[7079]: <= acl_mask: [2] applying read(=rscxd) (stop) | slapd[7079]: <= acl_mask: [2] mask: read(=rscxd) | slapd[7079]: => slap_access_allowed: read access granted by read(=rscxd) | slapd[7079]: => access_allowed: read access granted by read(=rscxd) `----
,----[ anonymous search ] | slapd[7079]: => acl_mask: access to entry "cn=Deszo Laszlo,ou=adressbuch,o=avci | ,c=de", attr "sn" requested | slapd[7079]: => acl_mask: to all values by "", (=0) | slapd[7079]: <= check a_dn_pat: cn=admanager,o=avci,c=de | slapd[7079]: <= check a_dn_pat: users | slapd[7079]: <= acl_mask: no more <who> clauses, returning =0 (stop) | slapd[7079]: => slap_access_allowed: search access denied by =0 | slapd[7079]: => access_allowed: no more rules `----
I have got the impression that the idassert-bind parameters are never passed to the remote server. If I disable acl-bind parameters and only use idassert-bind parameters, back-ldap complains about SASL [conn=0] Failure: no secret in database but no connection is made to the remote server in order to verify the credentials.
I must admit that on the remote server I have successfully configured sasl proxyauthentication by means of ldapdb. All I want to do, is to put back-ldap on a postfix server and use sasl auxprop ldapdb against back-ldap.
-Dieter