Hi,
I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers using slapd-meta. The remote servers require SASL EXTERNAL authentication, so I have to configure TLS client auth.
The relevant part of my slapd.conf looks like this: ------------------------------------------------- database meta suffix "dc=example"
uri "ldaps://server2:636/cn=server2,dc=example" idassert-authzFrom "dn:*" idassert-bind bindmethod=sasl saslmech=EXTERNAL tls_cert=mycert.crt tls_key=mycert.key tls_cacert=trusted-ca.pem mode=none -------------------------------------------------
Starting slapd with this config results in anonymous authentication against "server2", even though I configured the idassert-bind to use SASL EXTERNAL with the given keys/certs.
The strange thing is: When I'm starting slapd with the environment variables LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in idassert-bind), everything works (the meta backend authenticates with the given keys/certs).
Why do I have to set those environment variables to get the meta backend working? And respectively, why do the tls_* options in idassert-bind have no effect (in that case)?
Thanks in advance,
Manuel
Hi,
I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers using slapd-meta. The remote servers require SASL EXTERNAL authentication, so I have to configure TLS client auth.
The relevant part of my slapd.conf looks like this:
database meta suffix "dc=example"
uri "ldaps://server2:636/cn=server2,dc=example" idassert-authzFrom "dn:*" idassert-bind bindmethod=sasl saslmech=EXTERNAL tls_cert=mycert.crt tls_key=mycert.key tls_cacert=trusted-ca.pem mode=none
Starting slapd with this config results in anonymous authentication against "server2", even though I configured the idassert-bind to use SASL EXTERNAL with the given keys/certs.
The strange thing is: When I'm starting slapd with the environment variables LDAPTLS_CERT,LDAPTLS_KEY,LDAPTLS_CACERT (same values as the options in idassert-bind), everything works (the meta backend authenticates with the given keys/certs).
Why do I have to set those environment variables to get the meta backend working? And respectively, why do the tls_* options in idassert-bind have no effect (in that case)?
Apparently, although those options are perfectly valid, they are ignored by back-meta. I suggest you file an ITS http://www.openldap.org/its/.
p.
On 08/09/10 08:55 +0200, Manuel Gaupp wrote:
Hi,
I'm trying to set up OpenLDAP as a Proxy for multiple LDAP servers using slapd-meta. The remote servers require SASL EXTERNAL authentication, so I have to configure TLS client auth.
The relevant part of my slapd.conf looks like this:
database meta suffix "dc=example"
uri "ldaps://server2:636/cn=server2,dc=example" idassert-authzFrom "dn:*" idassert-bind bindmethod=sasl saslmech=EXTERNAL tls_cert=mycert.crt tls_key=mycert.key tls_cacert=trusted-ca.pem mode=none
Starting slapd with this config results in anonymous authentication against "server2", even though I configured the idassert-bind to use SASL EXTERNAL with the given keys/certs.
What setting do you have for TLSVerifyClient on the server side? According 16.2.1.8 of the Administrator's Guide, you'll need a non-default setting for the server to ask for the client certificate.
Also, have you attempted to perform a bind using the client utilities, to rule out any problems with the server config?
What setting do you have for TLSVerifyClient on the server side? According 16.2.1.8 of the Administrator's Guide, you'll need a non-default setting for the server to ask for the client certificate.
Also, have you attempted to perform a bind using the client utilities, to rule out any problems with the server config?
The server that back-meta connects to is configured to "try" TLS authentication. I also tested the authentication using the client utilities, which succeeded.
Apparently, the tls options I'm using are ignored by back-meta (see the previous message).
Nevertheless, setting the LDAPTLS_... environment variables for slapd seems to be a possible workaround for this problem.
openldap-technical@openldap.org
-
Dan White -
Manuel Gaupp -
masarati@aero.polimi.it