On 20 October 2013 09:26, Jesus Jr M Salvo <[email protected]> wrote: > > > > > Hi there, > > I actually used that link / your example as the basis for my tests. Thanks > for the info you published. > From what I can summarise in your work, you have: > > 1) Pass-through authentication on one LDAP directory: > > LDAP Client ---simple BIND--> OpenLDAP ---sasl---> saslauthd ---simple > BIND--> AD > > 2) PTA on several LDAP directories --- with meta backend > > LDAP Client ---sasl --- saslauthd --- simple BIND --> OpenLDAP ----simple > BIND--> AD > > 3) PTA on several LDAP directories --- with ldap backend > > LDAP Client ---sasl --- saslauthd --- simple BIND --> OpenLDAP ----simple > BIND--> AD > > > However, the scenario that I want to achieve is that the client connecting > to OpenLDAP must also use saslauthd, because that is the only way svnserve ( > Subversion ) can talk to an LDAP directory. Also, because I can only talk to > AD2 using sasl bind and NOT simple bind, I also have to use saslauthd to > talk to AD2. > > So what I really want to achieve is, using ASCII art / fixed width fonts: > > LDAP Client ( e.g. svnserve / testsaslauthd ) ---sasl ---> saslauthd -> > OpenLDAP > > |------- sasl ---> saslauthd ---SASL BIND--> AD1 > > \------- sasl ---> saslauthd ---SASL BIND--> AD2 > > The user that needs to be authenticated from the LDAP client ( e.g. svnserve > / testsaslauthd ) is on either AD1 or AD2. > > From what I can summarise, I will actually need three ( 3 ) saslauthd > processes, with different unix sockets, and with diference saslauthd.conf. > > Is there a way for OpenLDAP to talk to another LDAP directory using SASL / > DIGEST-MD5 without having to use saslauthd ?? So that, I only need one (1) > saslauthd ( from svnserve to OpenLDAP ) ? > >
Sorry to the people list on the list ... I did not realise that gmail was NOT sending plain/text until I read my message in the list archive! ... I thought selecting "Remove Formatting" would send it as plain/text, but I have to select "More Options" and select "Plain text mode". Been a while since I used gmail to send to a mailing list. Anyway, what I hope to achieve may not actually be possible ( PTA with SASL bind ). That is because, the first thing that happens with SASL bind, at least with DIGEST-MD5, is that: 1) LDAP client send bindRequest with mechanism ( no user or password or realm is sent yet ) 2) LDAP server returns the NONCE to the client ( bindInProgress ) 3) LDAP client sends another bindRequest with the credentials ( username, realm, and the NONCE ) -- bindInProgress 4) LDAP server returns either a success or invalidCredentials Therefore, the proxy will not know what backend the client really wants to connect to until the [3] above. Oh well.
