*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email ***
I've been racking my brains trying to understand the syntax of idassert-bind.
In my current setup I have a local bdb database with some users and the base entry for the tree. I have a meta database that is subordinate to the bdb database.
If I bind to the proxy as root, and search for anything, with any base (within the tree) openldap will bind to the relevant targets using the credentials defined in the idassert-bind directives.
If I bind to the proxy as a user that exists locally (within the bdb database) but not in any of the targets, openldap will bind to the targets anonymously using the dn defined in idassert-bind but no password.
If I bind to the proxy as a user that exists in one of the targets, it will bind to that target with the supplied credentials, and bind anonymously using the dn defined in idassert-bind to all other targets within scope.
Ideally, I would like the following situation:
If a user binds with local credentials, openldap should bind to the targets with the credentials supplied with idassert-bind.
If a user binds with remote credentials, openldap should bind to that target with the credentials supplied by the user, and either bind to the other targets using the pre-defined credentials OR not attempt to bind to those targets.
I have tried using 'flags=override', which works well to solve the local user problem. However if a user binds with remote credentials, openldap will first bind with those credentials, then rebind with the pre-defined credentials. The problem here is that the predefined credentials may not have the same privileges as the supplied credentials.
Here's something like my slapd.conf...
require authc
access to * by dn="cn=user a,dc=example,dc=com" read by dn="cn=user b,dc=example,dc=com" read by * auth
access to dn.sub="dc=target a,dc=meta,dc=example,dc=com" by dn="cn=user a,dc=example,dc=com" write by self write
# Meta Database
database meta suffix "dc=meta,dc=example,dc=com" subordinate
rootdn "cn=root,dc=example,dc=com"
## Target A
uri "ldap://192.168.1.10/dc=target a,dc=meta,dc=example,dc=com"
idassert-bind bindmethod=simple binddn="cn=ldapproxy,o=example" credentials="secret" mode=none
idassert-authzFrom "dn:*"
rewriteEngine on
suffixmassage "dc=target a,dc=meta,dc=example,dc=com" "o=example"
## Target B
uri "ldap://192.168.1.20/dc=target b,dc=meta,dc=example,dc=com"
idassert-bind bindmethod=simple binddn="cn=ldapproxy,dc=another,dc=com" credentials="secret" mode=none
idassert-authzFrom "dn:*"
rewriteEngine on
suffixmassage "dc=target b,dc=meta,dc=example,dc=com" "dc=another,dc=com"
# Local bdb database
database bdb suffix "dc=example,dc=com" directory /usr/local/var/openldap-data/example-base/
rootdn "cn=root,dc=example,dc=com" rootpw "secret"
index objectclass eq index cn,sn eq,sub
Thankyou for taking the time to read this, any help would be greatly appreciated.
Best Regards,
Drew
Andrew Graham ICT AgustaWestland UK Tel No: +44 (0) 1935 70 4421 andrew.graham@agustawestland.com
*** Disclaimer *** The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful.
If received in error please return to sender immediately.
Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.
Westland Helicopters Ltd Lysander Road Yeovil BA20 2YB England
Registered in England under No 604352
I've been racking my brains trying to understand the syntax of idassert-bind.
In my current setup I have a local bdb database with some users and the base entry for the tree. I have a meta database that is subordinate to the bdb database.
If I bind to the proxy as root, and search for anything, with any base (within the tree) openldap will bind to the relevant targets using the credentials defined in the idassert-bind directives.
If I bind to the proxy as a user that exists locally (within the bdb database) but not in any of the targets, openldap will bind to the targets anonymously using the dn defined in idassert-bind but no password.
If I bind to the proxy as a user that exists in one of the targets, it will bind to that target with the supplied credentials, and bind anonymously using the dn defined in idassert-bind to all other targets within scope.
Ideally, I would like the following situation:
If a user binds with local credentials, openldap should bind to the targets with the credentials supplied with idassert-bind.
If a user binds with remote credentials, openldap should bind to that target with the credentials supplied by the user, and either bind to the other targets using the pre-defined credentials OR not attempt to bind to those targets.
If I get your wishes correctly, you should work at the idassert-authzFrom level to only enable identity assertion for local users, disabling it for remote users. You may need to set "non-prescriptive" in order to allow non-authorized users to connect anonymously.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
openldap-software@openldap.org