Kartik Subbarao
2010-03-17 15:22:07 UTC
With 2.4.21, I'm trying to use SASL EXTERNAL authentication with a
back-ldap instance pointed to another ldap server listening on the same
host -- ldapi:///. Here is the config:
database ldap
suffix o=llnw
uri ldapi:///
rebind-as-user true
idassert-bind bindmethod=sasl saslmech=EXTERNAL
This doesn't seem to work, it just results in a plain anonymous bind
over ldapi:
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 fd=22 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 BIND dn="" method=128
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 RESULT tag=97 err=0
text=
[...]
I've tried the various mode= arguments and even tried setting
authcId/authzId, but ran into various errors. What I'm looking for is to
have all incoming anonymous connections be mapped to the equivalent of
this ldapsearch command:
ldapsearch -H ldapi:/// -Y EXTERNAL <...>
Which shows up in the slapd log like so:
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 fd=62 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND dn="" method=163
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND
authcid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=***@LLNW.COM"
authzid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=***@LLNW.COM"
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND
dn="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth"
mech=EXTERNAL sasl_ssf=0 ssf=112
Thanks,
-Kartik
back-ldap instance pointed to another ldap server listening on the same
host -- ldapi:///. Here is the config:
database ldap
suffix o=llnw
uri ldapi:///
rebind-as-user true
idassert-bind bindmethod=sasl saslmech=EXTERNAL
This doesn't seem to work, it just results in a plain anonymous bind
over ldapi:
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 fd=22 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 BIND dn="" method=128
Mar 16 14:01:30 ed1-dev slapd[28774]: conn=1140 op=0 RESULT tag=97 err=0
text=
[...]
I've tried the various mode= arguments and even tried setting
authcId/authzId, but ran into various errors. What I'm looking for is to
have all incoming anonymous connections be mapped to the equivalent of
this ldapsearch command:
ldapsearch -H ldapi:/// -Y EXTERNAL <...>
Which shows up in the slapd log like so:
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 fd=62 ACCEPT from
PATH=/var/run/slapd/ldapi (PATH=/var/run/slapd/ldapi)
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND dn="" method=163
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND
authcid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=***@LLNW.COM"
authzid="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=***@LLNW.COM"
Mar 16 14:04:44 ed1-dev slapd[28774]: conn=1143 op=0 BIND
dn="gidNumber=389+uidNumber=389,cn=peercred,cn=external,cn=auth"
mech=EXTERNAL sasl_ssf=0 ssf=112
Thanks,
-Kartik