Hello,
I've setup a simple proxy so that local LDAP clients can get access to protected attributes on a remote server. My proxy is slapd 2.4.31 with this slapd.conf:
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none modulepath /usr/lib/ldap moduleload back_ldap sizelimit 500 tool-threads 1 backend ldap database ldap suffix "dc=company,dc=com" uri ldap://ldap.company.com:389 idassert-bind bindmethod=simple binddn="uid=my_id,ou=my_dept,dc=company,dc=com" credentials="mypass" authcId="dn:uid=my_id,ou=my_dept,dc=company,dc=com" mode=legacy
ldap.company.com permits the my_id DN to access privileged attributes that anonymous users cannot. I can run ldapsearch against ldap.company.com with simple auth, binding as my_id, and view the privileged attributes.
ldapsearch -H ldap://ldap.company.com:389 -LLL -x \ -b ou=users,dc=company,dc=com \ -W -D uid=my_id,ou=my_dept,dc=company,dc=com \ "(uid=12345)"
When I run ldapsearch against my proxy slapd with the above slapd.conf however...
ldapsearch -H ldap://myproxy.company.com:389 -LLL -x \ -b ou=users,dc=company,dc=com \ "(uid=12345)"
... a packet trace shows that slapd is connecting to ldap.company.com without binding as my_id:
LDAPMessage bindRequest(1) "<ROOT>" simple messageID: 1 protocolOp: bindRequest (0) bindRequest version: 3 name: authentication: simple (0) simple: <MISSING>
As a result I do not see the privileged attributes.
Based on the docs http://manpages.ubuntu.com/manpages/trusty/man5/slapd-ldap.5.html, I've chosen mode=legacy because I'd like for the proxy to "perform a simple bind as the authcDN ... and assert the client's identity when it is not anonymous."
I've also tried following the advice at http://www.openldap.org/faq/data/cache/532.html which states:
If no authzID is given, and mode is set to none (for instance because the
remote server does not support the proxyAuthz control), the clients will be authorized as "cn=Proxy,dc=example,dc=com" even if they actually connected anonymously to the proxy.
yielding:
idassert-bind bindmethod=simple binddn="uid=my_id,ou=my_dept,dc=company,dc=com" credentials="mypass" mode=none
But an ldapsearch of my proxy then reports "Inappropriate authentication (48)" which I don't understand because client-to-proxy and proxy-to-remote all use simple auth.
What am I doing wrong? Any advice is greatly appreciated!
Ryan