Hi, Am Mon, 27 Dec 2010 15:15:21 +0000 schrieb Ubay Dorta Guerra <[email protected]>:
> Hi, > > El 23/04/10 17:17, [email protected] escribió: > > > > The problem is that you probably do not realize that the proxy > > cannot do a cert-based authentication on behalf of the client > > because it doesn't have the client's private key (which is > > correct). You need the proxy perform an identity assertion: bind > > to the remote server with its own identity, and then assert the > > client's identity using proxy authorization. > > > > To do this, you need to: > > > > a) define some means for the proxy to bind to the remote server, > > e.g. using cert-based SASL EXTERNAL, or simple bind under TLS, or > > whatever; > > > > b) configure the remote server so that the proxy's identity defined > > in (a) is allowed to proxy authz as whatever client's identity you > > want to accept; this requires to use the directive "authz-policy"; > > you may need to use the "authz-regexp" if you intend to map the > > client's identity; and you'll need to populate the "authzTo" > > operational attribute of the entry corresponding to the proxy's > > identity. > > > > c) add to the proxy configuration the directive > > > > idassert-bind bindmethod=<what you chose for (a)> > > <bind parameters for (a)> > > mode=self > > > > > > The simple bind under TLS worked but when i try to use cert-based > SASL EXTERNAL authentication i get no success. > > In the proxy server configuration i add the following directive > > idassert-bind bindmethod=sasl > saslmech=EXTERNAL > binddn="CN=proxy-server1.example.com,O=Internet the binddn should be empty or just don't configure a binddn. > Widgits Pty Ltd,ST=Some-State,C=AU" > tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem > tls_key=/etc/ssl/private/proxy-server1.example.com.key > tls_cacertdir=/etc/ssl/cacerts/ > tls_reqcert=demand > mode=self > > > In the master (remote) server i set: Did you ever test the certificate chain? Create a file ~/.ldaprc with TLS_CERT /etc/ssl/certs/proxy-server1.example.com.pem TLS_KEY /etc/ssl/certs/proxy-server1.example.com.key TLS_CACERTDIR /etc/ssl/cacerts and run ldapwoami -Y EXTERNAL -ZZ ldap://your.host -Dieter -- Dieter Klünter | Systemberatung http://dkluenter.de GPG Key ID:DA147B05 53°37'09,95"N 10°08'02,42"E
