11:56 p.m.
Hello,
in the mailing list's archive is a lot of stuff about OpenLDAP as proxy
for another LDAP-Server using the ldap/meta backend, but I didn't find an
answere of my question (it's possible that I don't see the wood for the
trees).
I've the following problem:
Our OpenLDAP get's an request which contained a User-ID and Password from
a LDAP-Client. Our OpenLDAP propagate the authentification (User-ID,
Password) of the request to another LDAP-Server using the ldap/meta
backend. If the authentification is o.k. our OpenLDAP contributes the
reamining attributes (tel. number, surname etc.) and gives they back to
the requester.
I need as a response of a request an interaction of two LDAP-Server. From
the other LDAP-Server the authentification and if successfull from our
LDAP-Server the attributes.
Is there a fair chance to get a solution using the ldap/meta backend.
Thanks in advance for your efforts
Klaus
8:56 a.m.
ems(a)sparkassen-informatik.de wrote:
I need as a response of a request an interaction of two LDAP-Server.
From the other LDAP-Server the authentification and if successfull from
our LDAP-Server the attributes.
Is there a fair chance to get a solution using the ldap/meta backend.
Just a hint without thoroughly thinking about it. Maybe you could use
slapo-rwm for rewriting only the bind requests to another name space
served by back-ldap. Or maybe have a look at slapo-translucent and
combine it with back-ldap.
Ciao, Michael.
12:03 a.m.
ems(a)sparkassen-informatik.de wrote:
>
> I need as a response of a request an interaction of two LDAP-Server.
> From the other LDAP-Server the authentification and if successfull
from
> our LDAP-Server the attributes.
>
> Is there a fair chance to get a solution using the ldap/meta backend.
michael(a)stroeder.com wrote:
Just a hint without thoroughly thinking about it. Maybe you could use
slapo-rwm for rewriting only the bind requests to another name space
served by back-ldap. Or maybe have a look at slapo-translucent and
combine it with back-ldap.
Ciao, Michael.
It's sounds a little bit complicated. I've found some stuff under the
keyword "single sign on".
Do you think it's a better way to manage the problem with OpenLDAP and
Kerberos.
Cioa, Klaus
1:29 a.m.
On 9:03:07 am 2008-05-14 ems(a)sparkassen-informatik.de wrote:
ems(a)sparkassen-informatik.de wrote:
>>
>> I need as a response of a request an interaction of two
>> LDAP-Server. From the other LDAP-Server the authentification and
>> if successfull from
>> our LDAP-Server the attributes.
>>
>> Is there a fair chance to get a solution using the ldap/meta
>> backend.
michael(a)stroeder.com wrote:
> Just a hint without thoroughly thinking about it. Maybe you could
> use slapo-rwm for rewriting only the bind requests to another name
> space served by back-ldap. Or maybe have a look at
> slapo-translucent and combine it with back-ldap.
It's sounds a little bit complicated. I've found some stuff under the
keyword "single sign on".
Do you think it's a better way to manage the problem with OpenLDAP
and Kerberos.
This all really depends on what you want to achieve: Your applications,
security policy, etc.
Ciao, Michael.
1:49 a.m.
Hello,
ems(a)sparkassen-informatik.de writes:
Hello,
in the mailing list's archive is a lot of stuff about OpenLDAP as proxy for
another LDAP-Server using the ldap/meta backend, but I didn't find an answere
of my question (it's possible that I don't see the wood for the trees).
I've the following problem:
Our OpenLDAP get's an request which contained a User-ID and Password from a
LDAP-Client. Our OpenLDAP propagate the authentification (User-ID, Password)
of the request to another LDAP-Server using the ldap/meta backend. If the
authentification is o.k. our OpenLDAP contributes the reamining attributes
(tel. number, surname etc.) and gives they back to the requester.
I need as a response of a request an interaction of two LDAP-Server. From the
other LDAP-Server the authentification and if successfull from our LDAP-Server
the attributes.
Is there a fair chance to get a solution using the ldap/meta backend.
Just to make sure, there are two directories, one that provides
information on authentication and authorization, the second directory
provides some additional iformation. If that is your request, than you
may have a look at the translucent overlay.
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
6:57 a.m.
New subject: OpenLDAP as proxy for another LDAP-Server
On Wed, May 14, 2008 at 10:49:02AM +0200, Dieter Kluenter wrote:
Just to make sure, there are two directories, one that provides
information on authentication and authorization, the second directory
provides some additional iformation. If that is your request, than you
may have a look at the translucent overlay.
That would depend on whether the two servers had identical namespaces
(tree layout, choice of RDN etc).
I have a similar requirement at the moment except that I only want to
use the second LDAP server to authenticate for a small proportion of the
entries in the first one. The namespaces are very different. I think
it can be done with a combination of rwm, back-ldap/back-meta and
slapd-relay, but this seems rather complex when all I really need is
'pass-through authentication'.
I will report back to the list if I come up with a workable solution,
but in the mean time does anyone have any pointers to a neat way of
doing this?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
7:45 a.m.
New subject: OpenLDAP as proxy for another LDAP-Server
Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> writes:
On Wed, May 14, 2008 at 10:49:02AM +0200, Dieter Kluenter wrote:
> Just to make sure, there are two directories, one that provides
> information on authentication and authorization, the second directory
> provides some additional iformation. If that is your request, than you
> may have a look at the translucent overlay.
That would depend on whether the two servers had identical namespaces
(tree layout, choice of RDN etc).
I have a similar requirement at the moment except that I only want to
use the second LDAP server to authenticate for a small proportion of the
entries in the first one. The namespaces are very different. I think
it can be done with a combination of rwm, back-ldap/back-meta and
slapd-relay, but this seems rather complex when all I really need is
'pass-through authentication'.
I will report back to the list if I come up with a workable solution,
but in the mean time does anyone have any pointers to a neat way of
doing this?
I have done similar with back-sql
database sql
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
...
database relay
suffix "ou=sql-user,o=avci,c=de"
relay dc=example,dc=com
overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap <rules>
subordinate
database hdb
suffix "o=avci,c=de"
rootdn "cn=admin,o=avci,c=de"
...
-Dieter
--
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6
10:58 a.m.
New subject: OpenLDAP as proxy for another LDAP-Server
On Thu, 15 May 2008, Andrew Findlay wrote:
...
I have a similar requirement at the moment except that I only want
to
use the second LDAP server to authenticate for a small proportion of the
entries in the first one. The namespaces are very different. I think
it can be done with a combination of rwm, back-ldap/back-meta and
slapd-relay, but this seems rather complex when all I really need is
'pass-through authentication'.
I will report back to the list if I come up with a workable solution,
but in the mean time does anyone have any pointers to a neat way of
doing this?
How about by using saslauthd? Configure the users that need pass-through
authentication with userPassword values in the form "{SASL}user@domain",
put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure
saslauthd to authenticate against the backend server. That gives you both
complete control over who gets passed through (only those with the {SASL}
format) and complete flexibility in the mapping of frontend users to
backend users (by tweaking the "user@domain" in each user's userPassword
attribute).
Philip Guenther
10:17 a.m.
New subject: OpenLDAP as proxy for another LDAP-Server
On Thu, May 15, 2008 at 11:58:28AM -0600, Philip Guenther wrote:
How about by using saslauthd? Configure the users that need
pass-through
authentication with userPassword values in the form "{SASL}user@domain",
put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure
saslauthd to authenticate against the backend server. That gives you both
complete control over who gets passed through (only those with the {SASL}
format) and complete flexibility in the mapping of frontend users to
backend users (by tweaking the "user@domain" in each user's userPassword
attribute).
That does look like the best solution so far, thank you.
Odd that such a useful feature is not mentioned in the docs at all. It
is a bit tricky to set up due to the interactions with Cyrus SASL, but
I now have it running so I will write a section for the Admin Guide
explaining how to do it.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
3:39 a.m.
New subject: pass-through authentication (was: Re: OpenLDAP as proxy for another LDAP-Server)
On Fri, May 16, 2008 at 06:17:44PM +0100, Andrew Findlay wrote:
On Thu, May 15, 2008 at 11:58:28AM -0600, Philip Guenther wrote:
> How about by using saslauthd? Configure the users that need pass-through
> authentication with userPassword values in the form "{SASL}user@domain",
I now have it running so I will write a section for the Admin Guide
explaining how to do it.
Done, and submitted as ITS#5524:
http://www.openldap.org/its/index.cgi/Incoming?id=5524;selectid=5524
I attach the relevant chapter as an HTML file for anyone who is
waiting to try pass-through authentication. Please let me know if you
think of any improvements, or follow up to the thread on the
openldap-its list.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
5472
days inactive
5493
days old
openldap-software@openldap.org
9 comments
6 participants
participants (6)
-
"Michael Ströder" -
Andrew Findlay -
Dieter Kluenter -
ems@Sparkassen-Informatik.de -
Michael Ströder
-
Philip Guenther