looks like I was fighting with bugs in my old openldap snapshot from Ubuntu 12.04. Compiling and using the latest version works.
On 25.04.14 10:45, Charles Bueche wrote:
Dear members,
We are trying to create a LDAP proxy to hide two distinct AD servers behind a "single LDAP view". The goal is to authentify and authorize extranet and internal users using a single LDAP server, as LDAP clients (eg Apache) should only talk to a single LDAP server, and not be aware about the multiple AD servers behind the proxy.
Our understanding is that we can create a meta database with two back-ends, using distinct uri/suffix/etc.
What works:
- using an AD user to talk to the proxy, which then is re-used by the
proxy to talk to the back-end
What does not work:
- one "front-end", simple-bind LDAP-user used to access the LDAP-proxy,
and only known to the proxy
- one back-end user per back-end (known in AD).
So we want to first search where a user is by using a front-end account, and then retry a bind with the user's effective username and password using its correct DN.
Our config:
database meta suffix dc=meta,dc=x1,dc=ch uri "ldaps://ad1.ad.x1.ch/OU=O3,dc=meta,dc=x1,dc=ch" suffixmassage "OU=O3,dc=meta,dc=x1,dc=ch" "OU=O3,dc=ad,dc=x1,dc=ch"
idassert-authzFrom "dn:*" idassert-bind bindmethod=simple tls_reqcert=allow binddn="CN=ldapsrvusr,OU=Service Accounts,OU=O3,dc=ad,dc=x1,dc=ch" credentials="abcdef12345"
When we try to use idassert-bind above, we always get the following error in the log:
... 535a1f25 conn=1000 op=1 <<< meta_search_dobind_init[0]=4 535a1f25 conn=1000 op=1 <<< meta_back_search_start[0]=4 535a1f25 conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*" 535a1f25 conn=1000 op=1 >>> meta_search_dobind_init[0] 535a1f25 conn=1000 op=1 meta_search_dobind_init[0] mc=0x7f17fc008ef0: non-empty dn with empty cred; binding anonymously ...
so it looks our identity is never used beyond the proxy to talk to the AD.
help welcome. TIA, Charles