Re: issues configuring SASL EXTERNAL and proxyauth with chain used for ppolicy_forward_updates

Quanah Gibson-Mount Mon, 18 Apr 2022 11:23:04 -0700

--On Monday, April 18, 2022 12:03 PM -0700 Quanah Gibson-Mount<[email protected]> wrote:



--On Monday, April 18, 2022 6:49 PM +0000 [email protected] wrote:

Hope this helps clarify what I'm looking for.



Hi Kartik,

We do something similar at Klarna.  Our olcDbIDAssertBind configuration
is:

olcDbIDAssertBind: mode=self
flags=override,prescriptive,proxy-authz-critical bindmethod=sasl
saslmech=external tls_cert=... tls_key=... tls_cacert=...

Then our olcSyncrepl config has:

olcSyncrepl rid=001 provider=... bindmethod=sasl saslmech=external
authzid="dn:cn=replicator,..." searchbase=... type=... keepalive=...
retry=... tls_cert=... tls_key=... tls_cacert=... timeout=..


I would note that we also have a custom patch applied to the OpenLDAP 2.4
series to fix an issue with proxy authorization (It does not fully apply
to 2.5+) and ACL evaluation using the wrong identity.


Ok, this was ITS#9179, fixed in OpenLDAP 2.5.1+

--Quanah

Re: issues configuring SASL EXTERNAL and proxyauth with chain used for ppolicy_forward_updates

Reply via email to