RE: (ITS#7807) rebind-as-user in slapd-meta not running

[theedgeu2]

--_b67832eb-f95f-44fc-96d8-4e1d626f474b_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable


First of all thank you for your quick answer.
=20
Before I posted the question I've read the man pages several times trying t=
o understand how slapd-meta runs. I don't speak english very well (as you c=
an see) so it's probably that i've don't understand it completly.
=20
As I've tried to explain in my question=2C I used idassert-bind before and =
it runs ok=2C but I don't understand why I've to use an administrative acco=
unt to connect the proxy with the targets if I only want to passthrough the=
 credentials of the user that was authenticated on the proxy. So I tried to=
 use rebind-as-user thinking it was the solution but as you say this is for=
 another use.
=20
Only for confirm what I'm doing. Is this the correct directive for what I'm=
 trying to do?
idassert-bind mode=3Dself bindmethod=3Dsimple binddn=3D"cn=3Dadminuser=2Cou=
=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom" credentials=3D"password of admin user"
=20
Regards
=20
> Date: Fri=2C 28 Feb 2014 21:23:52 +0100
> From: pierangelo.masar...@polimi.it
> To: theedg...@live.com
> CC: openldap-its@openldap.org
> Subject: Re: (ITS#7807) rebind-as-user in slapd-meta not running
>=20
> On 02/28/2014 11:00 AM=2C theedg...@live.com wrote:
> > Full_Name: Angel Martinez
> > Version: 2.4.39
> > OS: Red Hat Linux 6.4
> > URL: ftp://ftp.openldap.org/incoming/
> > Submission from: (NULL) (217.71.18.36)
> >
> >
> > I'm trying to configure a LDAP proxy with slapd-meta.
> >
> > I have several suffixs over several instances that shares the same user
> > accounts. It's posible that one user had access to several targets.
> >
> > The targets are:
> >
> > * Users: ou=3Dusers=2C dc=3Dtest=2C dc=3Dcom (here resides all accounts=
)
> >
> > * Target1: ou=3Dtarget1=2C dc=3Dtest=2C dc=3Dcom
> >
> > * Target2: ou=3Dtarget2=2C dc=3Dtest=2C dc=3Dcom
> >
> > These 3 suffix are on 3 differents instances.
> >
> > The instances where target1 and target2 are also have another suffix: o=
u=3Dusers=2C
> > dc=3Dtest=2C dc=3Dcom. This suffix is replicated from the first instanc=
e (Users)
> >
> > Normally=2C the users connect throught the proxy=2C but sometimes will =
connect
> > directly to the others instances.
> >
> > Basically this is the slapd.conf of the proxy:
> >
> > database meta
> > chase-referrals yes
> > rebind-as-user  yes
> >
> > suffix   "ou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom"
> > uri      "ldap://192.168.1.34:3891/ou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom";
> >
> > suffix   "ou=3Dtarget1=2Cdc=3Dtest=2Cdc=3Dcom"
> > uri      "ldap://192.168.1.34:3892/ou=3Dtarget1=2Cdc=3Dtest=2Cdc=3Dcom";
> >
> > suffix   "ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom"
> > uri      "ldap://192.168.1.34:3893/ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom";
> >
> > When a user connects to the proxy with cn=3Duser1=2Cou=3Dusers=2Cdc=3Dt=
est=2Cdc=3Dcom=2C the
> > user is validated against the first target (ou=3Dusers) and can search =
over this
> > suffix=2C but if this user try to search something over other target (f=
or example
> > ou=3Dtarget1) the proxy does not use the credentials of the user and do=
 an
> > anonymous bind to target1=2C so the search doesn't run.
> >
> > I thought that rebind-as-user resolve this but doesn't run.
> >
> > I've tried using idassert-bind mode=3Dself bindmethod=3Dsimple
> > binddn=3D"cn=3Dadminuser=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom" credentia=
ls=3D"password" and runs
> > ok=2C but I prefer not to use an administrative account to connect the =
proxy with
> > the targets.
> >
> > Is there something I'm missing?
>=20
> Yes=2C you did not read slapd-meta(5) man page.  rebind-as-user is used i=
n=20
> a totally different context.  What you need is idassert-bind.
>=20
>=20
> Please direct further conversation to <openldap-techni...@openldap.org>.=
=20
>   This ITS will be closed.
>=20
> p.
>=20
>=20
> --=20
> Pierangelo Masarati
> Associate Professor
> Dipartimento di Scienze e Tecnologie Aerospaziali
> Politecnico di Milano
                                          =

--_b67832eb-f95f-44fc-96d8-4e1d626f474b_
Content-Type: text/html; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<html>
<head>
<style><!--
.hmmessage P
{
margin:0px=3B
padding:0px
}
body.hmmessage
{
font-size: 12pt=3B
font-family:Calibri
}
--></style></head>
<body class=3D'hmmessage'><div dir=3D'ltr'><br>First of all thank you for y=
our quick answer.<BR>&nbsp=3B<BR>Before I posted the question I've read the=
 man pages several times trying to understand how slapd-meta runs. I don't =
speak english very well (as you can see) so it's probably that i've don't u=
nderstand it completly.<BR>&nbsp=3B<BR>As I've tried to&nbsp=3Bexplain in m=
y question=2C I used idassert-bind before and it runs ok=2C but I don't und=
erstand why I've to use an administrative account to connect the proxy with=
 the targets if I only want to passthrough the credentials of the user that=
 was authenticated on the proxy. So I tried to use rebind-as-user thinking =
it was the solution but as you say this is for another use.<BR>&nbsp=3B<BR>=
Only for confirm what I'm doing. Is this the correct directive for what I'm=
 trying to do?<BR>idassert-bind mode=3Dself bindmethod=3Dsimple binddn=3D"c=
n=3Dadminuser=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom" credentials=3D"password =
of admin user"<BR>&nbsp=3B<BR>Regards<BR>&nbsp=3B<BR><div>&gt=3B Date: Fri=
=2C 28 Feb 2014 21:23:52 +0100<br>&gt=3B From: pierangelo.masarati@polimi.i=
t<br>&gt=3B To: theedg...@live.com<br>&gt=3B CC: openldap-its@openldap.org<=
br>&gt=3B Subject: Re: (ITS#7807) rebind-as-user in slapd-meta not running<=
br>&gt=3B <br>&gt=3B On 02/28/2014 11:00 AM=2C theedg...@live.com wrote:<br=
>&gt=3B &gt=3B Full_Name: Angel Martinez<br>&gt=3B &gt=3B Version: 2.4.39<b=
r>&gt=3B &gt=3B OS: Red Hat Linux 6.4<br>&gt=3B &gt=3B URL: ftp://ftp.openl=
dap.org/incoming/<br>&gt=3B &gt=3B Submission from: (NULL) (217.71.18.36)<b=
r>&gt=3B &gt=3B<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B I'm trying to configure a=
 LDAP proxy with slapd-meta.<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B I have sever=
al suffixs over several instances that shares the same user<br>&gt=3B &gt=
=3B accounts. It's posible that one user had access to several targets.<br>=
&gt=3B &gt=3B<br>&gt=3B &gt=3B The targets are:<br>&gt=3B &gt=3B<br>&gt=3B =
&gt=3B * Users: ou=3Dusers=2C dc=3Dtest=2C dc=3Dcom (here resides all accou=
nts)<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B * Target1: ou=3Dtarget1=2C dc=3Dtest=
=2C dc=3Dcom<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B * Target2: ou=3Dtarget2=2C d=
c=3Dtest=2C dc=3Dcom<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B These 3 suffix are o=
n 3 differents instances.<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B The instances w=
here target1 and target2 are also have another suffix: ou=3Dusers=2C<br>&gt=
=3B &gt=3B dc=3Dtest=2C dc=3Dcom. This suffix is replicated from the first =
instance (Users)<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B Normally=2C the users co=
nnect throught the proxy=2C but sometimes will connect<br>&gt=3B &gt=3B dir=
ectly to the others instances.<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B Basically =
this is the slapd.conf of the proxy:<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B data=
base meta<br>&gt=3B &gt=3B chase-referrals yes<br>&gt=3B &gt=3B rebind-as-u=
ser  yes<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B suffix   "ou=3Dusers=2Cdc=3Dtest=
=2Cdc=3Dcom"<br>&gt=3B &gt=3B uri      "ldap://192.168.1.34:3891/ou=3Dusers=
=2Cdc=3Dtest=2Cdc=3Dcom"<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B suffix   "ou=3Dt=
arget1=2Cdc=3Dtest=2Cdc=3Dcom"<br>&gt=3B &gt=3B uri      "ldap://192.168.1.=
34:3892/ou=3Dtarget1=2Cdc=3Dtest=2Cdc=3Dcom"<br>&gt=3B &gt=3B<br>&gt=3B &gt=
=3B suffix   "ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom"<br>&gt=3B &gt=3B uri    =
  "ldap://192.168.1.34:3893/ou=3Dtarget2=2Cdc=3Dtest=2Cdc=3Dcom";<br>&gt=3B =
&gt=3B<br>&gt=3B &gt=3B When a user connects to the proxy with cn=3Duser1=
=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dcom=2C the<br>&gt=3B &gt=3B user is valida=
ted against the first target (ou=3Dusers) and can search over this<br>&gt=
=3B &gt=3B suffix=2C but if this user try to search something over other ta=
rget (for example<br>&gt=3B &gt=3B ou=3Dtarget1) the proxy does not use the=
 credentials of the user and do an<br>&gt=3B &gt=3B anonymous bind to targe=
t1=2C so the search doesn't run.<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B I though=
t that rebind-as-user resolve this but doesn't run.<br>&gt=3B &gt=3B<br>&gt=
=3B &gt=3B I've tried using idassert-bind mode=3Dself bindmethod=3Dsimple<b=
r>&gt=3B &gt=3B binddn=3D"cn=3Dadminuser=2Cou=3Dusers=2Cdc=3Dtest=2Cdc=3Dco=
m" credentials=3D"password" and runs<br>&gt=3B &gt=3B ok=2C but I prefer no=
t to use an administrative account to connect the proxy with<br>&gt=3B &gt=
=3B the targets.<br>&gt=3B &gt=3B<br>&gt=3B &gt=3B Is there something I'm m=
issing?<br>&gt=3B <br>&gt=3B Yes=2C you did not read slapd-meta(5) man page=
.  rebind-as-user is used in <br>&gt=3B a totally different context.  What =
you need is idassert-bind.<br>&gt=3B <br>&gt=3B <br>&gt=3B Please direct fu=
rther conversation to &lt=3bopenldap-techni...@openldap.org&gt=3B. <br>&gt=
=3B   This ITS will be closed.<br>&gt=3B <br>&gt=3B p.<br>&gt=3B <br>&gt=3B=
 <br>&gt=3B -- <br>&gt=3B Pierangelo Masarati<br>&gt=3B Associate Professor=
<br>&gt=3B Dipartimento di Scienze e Tecnologie Aerospaziali<br>&gt=3B Poli=
tecnico di Milano<br></div>                                       </div></body>
</html>=

--_b67832eb-f95f-44fc-96d8-4e1d626f474b_--