Yeah that was my thought. I've tried about a dozen different combinations and I run into one problem..
First, rebind-as-user and chain-idassert-bind seem to only work properly when I bind to openldap anonymously.
The other problem is that the user authentication can't be passed along because this is essentially being built to provide access to two completely separate active directory ldap servers for user authorization from a common remote access platform. We'd use radius, but radius in the case can't be used for authorization, only authentication....
Basically I've hacked the active directory 2003 server to allow anonymous bind and read in the cn=users,dc=domain,dc=local container to unauthenticated users. Unfortunately, I don't think my (government) customer will want to do that in production.
Essentially I need to statically configure a bind DN and password in the chain-idassert-bind that will be used for the connection back to the AD LDAP server for the query. Most of what I found in the documentation centers around allowing bind users' authentication to be passed through the connection so long as it matches a "bind allow access list".
It seems that something in the "from/to" rules may apply, but I am just having trouble getting my hands around exactly what the combination is.
When I do a tcpdump on the network, the chain is working. The openldap server actually makes a bind request to AD and follows the reference for the client. The problem is the bind is simple and empty (rfc definition for anonymous bind).
I'll spend some more time this weekend tinkering, but if you can think of any knobs I need to set I'd certainly welcome the help.
Cheers, Dave
On 1/11/08 10:09 AM, "Gavin Henry" ghenry@suretecsystems.com wrote:
Dave Stoll wrote:
I'm on 2.4.7
I take it you are using the chain overlay?
I think you can use chain-rebind-as-user and chain-idassert-bind
man slapo-chain