A page in your DokuWiki was added or changed. Here are the details:
Date : 2011/08/26 17:41
Browser : Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20100101 Firefox/6.0
IP-Address : 213.41.232.151
Hostname : dslm0.nerim.lyon.linagora.net
Old Revision:
http://ltb-project.org/wiki/documentation/general/sasl_delegation?rev=1314370989
New Revision: http://ltb-project.org/wiki/documentation/general/sasl_delegation
Edit Summary:
User : coudot
@@ -152,9 +152,12 @@
sasl-host localhost
sasl-secprops none
</file>
- Restart OpenLDAP.
+ Restart OpenLDAP:
+ <code>
+ service slapd restart
+ </code>
==== Step 5: be proud ====
Now we can use the pass-trough authentication. To test it, you need an
account in the backend, for example:
@@ -220,5 +223,82 @@
</code>
===== Pass-Trough authentication on several LDAP directories =====
+ <note>This chapter explains how do Pass-Trough authentication on several LDAP
backends. This adds compelxity as SASL dameon can only be configured to connect
a single remote directory, and OpenLDAP cannot use several SASL authentication
daemon. The solution described here use a meta directory between SASL dameon
and remote directories. The choice of the backend to contact will be done in
the SASL password value, for example {SASL}user@LDAP1 and
{SASL}user@LDAP2.</note>
+
+ <note important>You need to install all the components of the previous
chapter. This chapter will only describe the evolutions to do.</note>
+
+ ==== Step 1: create the meta directory ====
+
+ Configure a new OpenLDAP instance that will be a meta directory for the LDAP
backends, for example:
+ <file>
+ # Database
+ database meta
+ suffix "dc=local"
+ rootdn "cn=Manager,dc=local"
+ rootpw secret
+
+ # LDAP 1
+ uri ldap://ldap1.example.com/ou=LDAP1,dc=local
+
+ lastmod off
+ suffixmassage "ou=LDAP1,dc=local" "dc=example1,dc=com"
+ idassert-bind bindmethod=simple
+ binddn="cn=admin,dc=example1,dc=com"
+ credentials="secret"
+ mode=none
+ flags=non-prescriptive
+ idassert-authzFrom "dn.exact:cn=Manager,dc=local"
+
+
+ # LDAP 2
+ uri ldap://ldap2.example.com/ou=LDAP2,dc=local
+
+ lastmod off
+ suffixmassage "ou=LDAP2,dc=local" "dc=example2,dc=com"
+ idassert-bind bindmethod=simple
+ binddn="cn=admin,dc=example2,dc=com"
+ credentials="secret"
+ mode=none
+ flags=non-prescriptive
+ idassert-authzFrom "dn.exact:cn=Manager,dc=local"
+ </file>
+
+ Launch this server on a new port (or another server), that will be accessible
from SASL dameon. For example it will be launched on ldap://127.0.0.1:390/
+
+ ==== Step 2: reconfigure saslauthd ====
+
+ Adapt SASL daemon configuration to contact the meta directory:
+
+ <code>
+ vi /etc/saslauthd.conf
+ </code>
+
+ <file>
+ ldap_servers: ldap://127.0.0.1:390/
+ ldap_search_base: ou=%d,dc=local
+ ldap_timeout: 10
+ ldap_filter: (|(uid=%U)(SAMACCOUNTNAME=%U))
+ ldap_bind_dn: cn=Manager,dc=local
+ ldap_password: secret
+ ldap_deref: never
+ ldap_restart: yes
+ ldap_scope: sub
+ ldap_use_sasl: no
+ ldap_start_tls: no
+ ldap_version: 3
+ ldap_auth_method: bind
+ </file>
+
+ The interesting changes are:
+ * ldap_search_base: we use the domain component (%d) to match to
destination backend, trough the meta directory DIT
+ * ldap_filter: we mix the filters with an OR filter, so that the user (%U)
will be found whatever backend is called
+
+ Restart saslauthd:
+ <code>
+ service saslauthd restart
+ </code>
+
+ ==== Step 5: be really proud ====
+ Do the tests of the first chapter, with different users in LDAP1 and LDAP2,
and appropriate users in the main OpenLDAP server. By playing with the SASL
password value, you are able to choose the authentication backend for
pass-trough authentication.
--
This mail was generated by DokuWiki at
http://ltb-project.org/wiki/
_______________________________________________
ltb-changes mailing list
[email protected]
http://lists.ltb-project.org/listinfo/ltb-changes
