Hello Fred,
I've just used this auth in my setup:
* You need to ensure that the certificate used on the client side (proxy) can be acknowledged by the backend server (ie validated through its CA) * You can try ldapwhoami first. To be sure that the client does use the certificates, you can add a .ldaprc file in your homedir: TLS_REQCERT try TLS_CACERT /etc/ssl/certs/ca-bundle.crt TLS_CERT /etc/openldap/certs/server.crt TLS_KEY /etc/openldap/certs/server.key SASL_MECH external URI ldaps://mytest.com BASE dc=appli,dc=test,dc=com
TLSVerifyClient demand -> LS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate.
Looks like your request does not use the certificate at all. ________________________________ De : fred750164@gmail.com fred750164@gmail.com Envoyé : jeudi 16 janvier 2025 19:52 À : openldap-technical@openldap.org openldap-technical@openldap.org Objet : ldap proxy
[Vous ne recevez pas souvent de courriers de fred750164@gmail.com. Découvrez pourquoi ceci est important à https://aka.ms/LearnAboutSenderIdentification ]
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
I want to set up an architecture that allows a client to query an LDAP backend via an LDAP proxy. I want the query from the client to be unsecured, but the proxied communication between the LDAP proxy and the LDAP backend to be secured through mutual TLS authentication via SASL EXTERNAL. What configurations need to be implemented on the LDAP proxy and the LDAP backend?
I saw in the slapd-ldap(5) documentation that the idassert-bind parameter could be used on the LDAP proxy for the TLS connection via SASL EXTERNAL, and in the slapd.conf(5) documentation that the authz-regexp parameter could be used on the LDAP backend to allow querying with a DN extracted from the certificate on this LDAP backend.
However, I am struggling to set it up.
I use openldap 2.4.
slapd.conf on proxy server: [...] Database ldap suffix dc=test,dc=com uri ldaps://mytest.com:636 idassert-bind mode=self bindmethod=sasl saslmech=EXTERNAL tls_cert=/etc/openldap/certs/server.crt tls_key=/etc/openldap/certs/server.key tls_cacert=/etc/ssl/certs/ca-bundle.crt tls_cacertdir=/etc/ssl/certs tls_crlcheck=none tls_reqcert=allow [...]
slapd.conf on backend server: [...] # Modules moduleload back_mdb moduleload authz-regexp
# TLS TLSCACertificateFile /opt/openldap/etc/openldap/certs/ca-certificates.crt TLSCertificateFile /opt/openldap/etc/openldap/certs/backend.crt TLSCertificateKeyFile /opt/openldap/etc/openldap/certs/backend.key TLSCipherSuite HIGH TLSVerifyClient demand sasl-Host mytest.com sasl-realm EXTERNAL authz-regexp ".*" "cn=user1,dc=test,dc=com" [...]
proxy: ldapsearch -H ldaps://mytest.com -b "dc=appli,dc=test,dc=com" -Y EXTERNAL -ZZ ldap_start_tls: Can't contact LDAP server (-1)
backend: 67895427.2b4074ce 0x7f7e6bffe6c0 TLS: can't accept: error:0A0000C7:SSL routines::peer did not return a certificate.
Any help would be appreciated.