--On Thursday, May 1, 2025 10:19 PM +0000 Fred N fred750164@gmail.com wrote:
Hello,
I'm trying to set up an OpenLDAP architecture where a client connects to a proxy using an unencrypted connection with a simple bind (e.g., via ldapsearch), and the proxy then connects securely to a backend LDAP server using TLS client certificate authentication via SASL EXTERNAL.
Here is what I'm aiming for: • The client uses simple bind over ldap:// to connect to the proxy. • The proxy should ignore the client's bind credentials and use its own certificate to connect to the backend via ldaps:// or ldap+starttls:// using SASL EXTERNAL. • The backend uses authz-regexp rules to map the proxy's certificate DN to a local identity, which is authorized to perform the search on behalf of the client.
I've tested this setup with OpenLDAP versions 2.4, 2.5, and 2.6 but have not been able to make it work.
I gave a configuration in my first message and I tried several configurations but I always come back to this one when I read the docs or look at the forums
Hi Fred,
You posted an abreviated configuration, not your full configuration.
Additionally -
a) No clue what identity proxy server maps to on the backend server b) No clue if you've configured the authzto: on that identity to allow it to assume other identities.
I can say that in my environment:
*) A client can simple bind to a consumer and perform a write op *) The back-ldap configuration will then do a SASL/EXTERNAL bind to one of my providers as a specific identity *) That identity has the ability to authzTo: anything, so it can assert the identity of what bound to the consumer on the provider.
Regards, Quanah