Hi,
El 23/04/10 17:17, masarati@aero.polimi.it escribió:
The problem is that you probably do not realize that the proxy cannot do a cert-based authentication on behalf of the client because it doesn't have the client's private key (which is correct). You need the proxy perform an identity assertion: bind to the remote server with its own identity, and then assert the client's identity using proxy authorization.
To do this, you need to:
a) define some means for the proxy to bind to the remote server, e.g. using cert-based SASL EXTERNAL, or simple bind under TLS, or whatever;
b) configure the remote server so that the proxy's identity defined in (a) is allowed to proxy authz as whatever client's identity you want to accept; this requires to use the directive "authz-policy"; you may need to use the "authz-regexp" if you intend to map the client's identity; and you'll need to populate the "authzTo" operational attribute of the entry corresponding to the proxy's identity.
c) add to the proxy configuration the directive
idassert-bind bindmethod=<what you chose for (a)> <bind parameters for (a)> mode=self
The simple bind under TLS worked but when i try to use cert-based SASL EXTERNAL authentication i get no success.
In the proxy server configuration i add the following directive
idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="CN=proxy-server1.example.com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem tls_key=/etc/ssl/private/proxy-server1.example.com.key tls_cacertdir=/etc/ssl/cacerts/ tls_reqcert=demand mode=self
In the master (remote) server i set:
# # Authz # authz-policy to authz-regexp "CN=proxy-server1.example.com,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" cn=proxy_id,dc=example,dc=com
The cn=proxy_id,dc=example,dc=com has the following content:
ldapsearch -LLL -b 'cn=proxy_id,dc=example,dc=com' -H ldaps://proxy-server1.example.com -x -D 'cn=Manager,dc=example,dc=com' -w secret authzTo dn: cn=proxy_id,dc=example,dc=com authzTo: ldap:///ou=people,dc=example,dc=com??sub?(objectClass=person)
But when i try to modify a password through the proxy i get the following error: ldapmodify -x -H ldaps://proxy-server1.example.com -f pass2_user.ldif -D 'uid=user_w_pass,ou=people,dc=example,dc=com' -W Enter LDAP Password: modifying entry "uid=user_w_pass,ou=people,dc=example,dc=com" ldap_modify: Insufficient access (50)
With simple bind i got the following message in syslog: ldap-master[11314]: conn=1002 op=1 PROXYAUTHZ dn="uid=user_w_pass,ou=people,dc=example,dc=com" But not in the cert-based SASL EXTERNAL case.
Is there something wrong in the configuration?
Thanks in advance.
This way, the proxy will:
authc the client locally
authc as itself with respect to the remote host
proxy operations adding the proxyAuthz control with the identity of the
client
See slapd-ldap(5) for details on the syntax of the idassert-* directives.
p.
--------------------------------------------------------------------------------------------- ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en