Le 1 mars 2012 11:03, Liam Gretton liam.gretton@leicester.ac.uk a écrit :
On 08/02/2012 09:58, W.Siebert@t-systems.com wrote:
Is it possible to implement the controlled proxy with OpenLDAP ? E.g., like Radiusproxy based on realm: when username is _xxx@domain01.com_ mailto:xxx@domain01.com go to the target1, and when username is _xxx@domain99.net_mailto:xxx@domain99.net go to the target2.
Yes, a combination of meta database config in slapd.conf and appropriate SASL config.
In your schema, use the following in userPassword:
userPassword: {SASL}xxx@DOMAIN
where DOMAIN is whichever domain the user needs to be authenticated against.
In slapd.conf:
database meta suffix dc=local rootdn cn=administrator,dc=local rootpw secret
# domain01 uri ldaps://domain01.com:3269/ou=domain01.com,dc=local lastmod off suffixmassage "ou=domain01.com=local" "dc=domain01,dc=com"
idassert-bind bindmethod=simple binddn="cn=binder,dc=domain01,dc=com" credentials="password" flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=local"
# domain02 uri ldaps://domain02.com:3269/ou=domain02.com,dc=local lastmod off suffixmassage "ou=domain02.com=local" "dc=domain02,dc=com"
idassert-bind bindmethod=simple binddn="cn=binder,dc=domain02,dc=com" credentials="password" flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=local"
In saslauthd.conf you need to create the appropriate search base for authentication based on the domain in the userPassword field:
ldap_servers: ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta ldap_search_base: ou=%d,dc=local ldap_filter: (sAMAccountName=%U) ldap_auth_method: bind
ldap_bind_dn: cn=administrator,dc=local ldap_password: secret
ldap_deref: never ldap_use_sasl: no
Hopefully this is enough info to get you going.
I wrote a complete documentation on how manage this with back-meta or back-ldap: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Hope it helps,
Clément.