Shawn McKinney wrote:
> Here’s a snippet from an ansible template we use for one of our tests:
[...]
Hi Shawn, I'm looking to do something slightly different than your example. I
can set up certificate-based authentication with the authz-regexp and authzTo
stuff, no problems there. But I also want to do *proxyauth* to a different dn
on the master. I don't see the authzId parameter in your chain configuration --
that's the part I can't get working.
Let me provide some more context. Let's say we have two consumer servers,
consumer1.example.com and consumer2.example.com. Both of them have the same
certificate installed. This certificate has a subject name of
CN=ldap.example.com and a subject Alternate Name of DNS:*.example.com (wildcard
certificate), so it can be used on all the consumer servers. When these servers
update pwdFailureTime on the master server (via chain), I want the
modifiersName to show the actual server name, not ldap.example.com.
On consumer1, I want to set up chain like this:
chain-idassert-bind bindmethod=SASL saslmech=EXTERNAL
tls_cert=server.crt tls_key=tls.key authzId=dn:cn=consumer1,dc=example,dc=com
On consumer2, I want to set up chain like this:
chain-idassert-bind bindmethod=SASL saslmech=EXTERNAL
tls_cert=server.crt tls_key=tls.key authzId=dn:cn=consumer2,dc=example,dc=com
I have set up authzFrom/authzTo on the master to allow CN=ldap.example.com to
proxyauth as both of these names.
As I indicated in my original message, the idea is to do the equivalent of this
(on consumer1):
LDAPTLS_KEY=server.key LDAPTLS_CERT=server.crt \
ldapmodify -Z -Y EXTERNAL \
-e '!authzid=dn:cn=consumer1,dc=example,dc=com' -e relax \
-h ldap-master.example.com -f update_pwdfailuretime.ldif
Hope this helps clarify what I'm looking for.
Thanks,
-Kartik
