A page in your DokuWiki was added or changed. Here are the details: Date : 2011/09/05 10:59 Browser : Mozilla/5.0 (X11; Linux i686; rv:6.0.1) Gecko/20100101 Firefox/6.0.1 IP-Address : 213.41.232.151 Hostname : dslm0.nerim.lyon.linagora.net Old Revision: http://ltb-project.org/wiki/documentation/general/sasl_delegation?rev=1314374009 New Revision: http://ltb-project.org/wiki/documentation/general/sasl_delegation Edit Summary: User : coudot
@@ -221,17 +221,17 @@ <code> ldapsearch -x -H ldap://ldap.example.com -b dc=example,dc=com -D uid=coudot,ou=users,dc=example,dc=com -w password </code> - ===== Pass-Trough authentication on several LDAP directories ===== + ===== Pass-Trough authentication on several LDAP directories - with OpenLDAP meta backend ===== - <note>This chapter explains how do Pass-Trough authentication on several LDAP backends. This adds compelxity as SASL dameon can only be configured to connect a single remote directory, and OpenLDAP cannot use several SASL authentication daemon. The solution described here use a meta directory between SASL dameon and remote directories. The choice of the backend to contact will be done in the SASL password value, for example {SASL}user@LDAP1 and {SASL}user@LDAP2.</note> + <note>This chapter explains how do Pass-Trough authentication on several LDAP backends with OpenLDAP meta backend. This adds complexity as SASL daemon can only be configured to connect a single remote directory, and OpenLDAP cannot use several SASL authentication daemon. The solution described here use a meta directory between SASL daemon and remote directories. The choice of the backend to contact will be done in the SASL password value, for example {SASL}user@LDAP1 and {SASL}user@LDAP2.</note> <note important>You need to install all the components of the previous chapter. This chapter will only describe the evolutions to do.</note> ==== Step 1: create the meta directory ==== - Configure a new OpenLDAP instance that will be a meta directory for the LDAP backends, for example: + Configure a new OpenLDAP instance that will be a meta directory for the LDAP backends, for example: <file> # Database database meta suffix "dc=local" @@ -303,4 +303,56 @@ ==== Step 3: be really proud ==== Do the tests of the first chapter, with different users in LDAP1 and LDAP2, and appropriate users in the main OpenLDAP server. By playing with the SASL password value, you are able to choose the authentication backend for pass-trough authentication. + + ===== Pass-Trough authentication on several LDAP directories - with OpenLDAP ldap backend ===== + + <note>This chapter explains how do Pass-Trough authentication on several LDAP backends with OpenLDAP ldap backend. The advantage over the meta backend is the possibility to use the rwm overlay with specific configuration for a backend directory, and for those using the cn=config backend, to manage the configuration into it (as these lines are written, backend meta is not supported in cn=config).</note> + + ==== Step 1: create the proxy directory ==== + + Configure a new OpenLDAP instance that will be a proxy directory for the LDAP backends, for example: + <file> + + # Database LDAP for local Manager authentication + database ldap + suffix "cn=manager,dc=local" + rootdn "cn=manager,dc=local" + rootpw secret + + # Database LDAP for LDAP 1 + database ldap + suffix "ou=LDAP1,dc=local" + + uri ldap://ldap1.example.com + + idassert-bind bindmethod=simple + binddn="cn=admin,dc=example1,dc=com" + credentials="secret" + mode=none + flags=non-prescriptive + idassert-authzFrom "dn.exact:cn=Manager,dc=local" + + overlay rwm + rwm-suffixmassage "ou=LDAP1,dc=local" "dc=example,dc=com" + + # Database LDAP for LDAP 2 + database ldap + suffix "ou=LDAP1,dc=local" + + uri ldap://ldap2.example.com + + idassert-bind bindmethod=simple + binddn="cn=admin,dc=example2,dc=com" + credentials="secret" + mode=none + flags=non-prescriptive + idassert-authzFrom "dn.exact:cn=Manager,dc=local" + + overlay rwm + rwm-suffixmassage "ou=LDAP1,dc=local" "dc=example,dc=com" + + # Example of rwm configuration for Active Directory + rwm-map attribute uid sAMAccountName + rwm-map attribute * * + </file> -- This mail was generated by DokuWiki at http://ltb-project.org/wiki/ _______________________________________________ ltb-changes mailing list [email protected] http://lists.ltb-project.org/listinfo/ltb-changes
