On 20 October 2013 09:26, Jesus Jr M Salvo jesus.m.salvo@gmail.com wrote:
Hi there,
I actually used that link / your example as the basis for my tests. Thanks for the info you published. From what I can summarise in your work, you have:
- Pass-through authentication on one LDAP directory:
LDAP Client ---simple BIND--> OpenLDAP ---sasl---> saslauthd ---simple BIND--> AD
- PTA on several LDAP directories --- with meta backend
LDAP Client ---sasl --- saslauthd --- simple BIND --> OpenLDAP ----simple BIND--> AD
- PTA on several LDAP directories --- with ldap backend
LDAP Client ---sasl --- saslauthd --- simple BIND --> OpenLDAP ----simple BIND--> AD
However, the scenario that I want to achieve is that the client connecting to OpenLDAP must also use saslauthd, because that is the only way svnserve ( Subversion ) can talk to an LDAP directory. Also, because I can only talk to AD2 using sasl bind and NOT simple bind, I also have to use saslauthd to talk to AD2.
So what I really want to achieve is, using ASCII art / fixed width fonts:
LDAP Client ( e.g. svnserve / testsaslauthd ) ---sasl ---> saslauthd -> OpenLDAP
|------- sasl ---> saslauthd ---SASL BIND--> AD1
------- sasl ---> saslauthd ---SASL BIND--> AD2
The user that needs to be authenticated from the LDAP client ( e.g. svnserve / testsaslauthd ) is on either AD1 or AD2.
From what I can summarise, I will actually need three ( 3 ) saslauthd processes, with different unix sockets, and with diference saslauthd.conf.
Is there a way for OpenLDAP to talk to another LDAP directory using SASL / DIGEST-MD5 without having to use saslauthd ?? So that, I only need one (1) saslauthd ( from svnserve to OpenLDAP ) ?
Sorry to the people list on the list ... I did not realise that gmail was NOT sending plain/text until I read my message in the list archive! ... I thought selecting "Remove Formatting" would send it as plain/text, but I have to select "More Options" and select "Plain text mode". Been a while since I used gmail to send to a mailing list.
Anyway, what I hope to achieve may not actually be possible ( PTA with SASL bind ). That is because, the first thing that happens with SASL bind, at least with DIGEST-MD5, is that:
1) LDAP client send bindRequest with mechanism ( no user or password or realm is sent yet ) 2) LDAP server returns the NONCE to the client ( bindInProgress ) 3) LDAP client sends another bindRequest with the credentials ( username, realm, and the NONCE ) -- bindInProgress 4) LDAP server returns either a success or invalidCredentials
Therefore, the proxy will not know what backend the client really wants to connect to until the [3] above.
Oh well.