> On Apr 14, 2022, at 4:56 PM, Kartik Subbarao <[email protected]> wrote:
>
> I have a consumer server (2.4.57) that successfully forwards pwdFailureTime
> modifications to the master server using GSSAPI authentication. I want to
> replace GSSAPI with certificate-based (SASL EXTERNAL) authentication along
> with proxy authorization. Basically, I want to configure the equivalent of
> the following command line:
>
> LDAPTLS_KEY=server.key LDAPTLS_CERT=server.crt \
> ldapmodify -Z -Y EXTERNAL \
> -e '!authzid=dn:cn=proxydn,dc=example,dc=com' -e relax \
> -h ldap-master.example.com -f update_pwdfailuretime.ldif
>
> The command line works as expected -- it authenticates successfully using the
> server certificate, and then does PROXYAUTHZ to cn=proxydn,dc=example,dc=com
> to perform the modify operation. The issue is when I try to configure this
> behavior with chain on the consumer server. I've tried various incantations
> along these lines:
>
> chain-idassert-bind bindmethod=SASL saslmech=EXTERNAL tls_cert=server.crt
> tls_key=tls.key authzId=dn:cn=proxydn,dc=example,dc=com
>
> The SASL EXTERNAL authentication works fine -- It binds to the master with
> the DN mapped from the certificate's subject. But it doesn't do the
> proxyauthz to cn=proxydn,dc=example,dc=com. I've read through the docs in
> detail and tried various modes, flags and other settings, but I can't get it
> to do the proxy authz.
>
What's error in the logs?
> Does anyone have a known working config for this kind of setup that they can
> share? Otherwise, any suggestions on the best way to troubleshoot this
> further would be great.
Here’s a snippet from an ansible template we use for one of our tests:
```conf
overlay chain
chain-uri "{{ hostvars[providers | first].ldap_url }}"
chain-tls start
tls_cacert="{{ cacert_path }}"
tls_cert="{{ config_path }}/{{ inventory_hostname }}.crt"
tls_key="{{ config_path }}/{{ inventory_hostname }}.pem"
tls_reqcert=demand
chain-idassert-bind mode=legacy
bindmethod=sasl
saslmech=external
binddn=cn=notused
starttls=yes
tls_cacert="{{ cacert_path }}"
tls_cert="{{ config_path }}/{{ inventory_hostname }}.crt"
tls_key="{{ config_path }}/{{ inventory_hostname }}.pem"
tls_reqcert=demand
```
Other important items is the service account used as proxy must have:
```ldif
…
sn: service account
authzTo: ldap:///ou=People,dc=example,dc=com??subtree?(objectclass=someperson)
```
Also, on the consumer:
```conf
authz-regexp "cn=([^,]*),ou=Symas,o=Symas corp,l=Grand
Junction,st=Colorado,c=us" "cn=$1,ou=clients,dc=example,dc=com"
```
And on the target:
```conf
authz-policy to
authz-regexp "cn=([^,]*),ou=Symas,o=Symas corp,l=Grand
Junction,st=Colorado,c=us" "cn=$1,ou=servers,dc=example,dc=com"
```
HTH
—
Shawn
