On 03/04/12 16:47, Induni, Marco wrote:
Hi all, I'm building an openldap proxy to an AD server and adding a little of "intelligence" based on the client request.
Unfortunately the client/program asking information about an account, need to be setup with user and password. There is a way to let the proxy "ignore" this user and password and instead just use the ones specified on the slapd.conf file ? Or setup fake credential somewhere ?
In detail, query are something like:
ldapsearch -x -h openldap-proxy -w "secret" -D "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int" userPrincipalName=TST-USER10
but I need that the proxy exclude the "-w "secret" -D "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" part, and use the one on the conf file. In fact if I do a query like:
ldapsearch -x -h openldap-proxy -w "secret" -D "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int" userPrincipalName=TST-USER10 it works.
Here the slapd.conf
database meta suffix "dc=pmm,dc=int"
uri "ldap://10.10.10.1/dc=pmm,dc=int" suffixmassage "dc=pmm,dc=int" "dc=media,dc=int"
rewriteContext searchFilter rewriteRule "userPrincipalName=(.*)@rtsi.ch" "userPrincipalName=%1@rsi.ch" ":" rewriteRule "sAMAccountName=([:alnum:])" "userPrincipalName=%1@rtr.ch" ":"
idassert-bind bindmethod=simple
binddn="CN=svc-adread05,CN=AdminAccounts,OU=RSI,OU=Units,DC=media,DC=int " credentials="Comano2012" mode=self idassert-authzFrom "dn.regex:.*"
Any idea ?
You can configure the ldap and meta backends to use a different authentication for the outgoing connection to the proxied server by setting mode=none in the idassert-bind directive. For example:
idassert-bind bindmethod=simple binddn="cn=proxyuser,dc=ad,dc=com" credentials=secret mode=none
Will cause all connections to the proxied LDAP server to use those credentials. Is this what you're trying to achieve?
Jonathan