--On Thursday, May 1, 2025 10:19 PM +0000 Fred N <[email protected]>
wrote:
Hello,
I'm trying to set up an OpenLDAP architecture where a client connects
to a proxy using an unencrypted connection with a simple bind (e.g., via
ldapsearch), and the proxy then connects securely to a backend LDAP
server using TLS client certificate authentication via SASL EXTERNAL.
Here is what I'm aiming for:
• The client uses simple bind over ldap:// to connect to the
proxy.
• The proxy should ignore the client's bind credentials and use
its
own certificate to connect to the backend via ldaps:// or
ldap+starttls:// using SASL EXTERNAL. • The backend uses authz-regexp
rules to map the proxy's certificate DN to a local identity, which is
authorized to perform the search on behalf of the client.
I've tested this setup with OpenLDAP versions 2.4, 2.5, and 2.6 but
have not been able to make it work.
I gave a configuration in my first message and I tried several
configurations but I always come back to this one when I read the docs or
look at the forums
Hi Fred,
You posted an abreviated configuration, not your full configuration.
Additionally -
a) No clue what identity proxy server maps to on the backend server
b) No clue if you've configured the authzto: on that identity to allow it
to assume other identities.
I can say that in my environment:
*) A client can simple bind to a consumer and perform a write op
*) The back-ldap configuration will then do a SASL/EXTERNAL bind to one of
my providers as a specific identity
*) That identity has the ability to authzTo: anything, so it can assert the
identity of what bound to the consumer on the provider.
Regards,
Quanah
