Thank you Howard for your short answer. That confirms what I though. I still
have an issue to make it work. I've try a lot of different setup and I don't
make the proxy use the idassert-bind parameters. All of my tests sends the
authentication information directly to the backend:
*
simple binds
*
anonymous binds
*
sasl with certificate binds
I can read the following message into the proxy's logs with SASL:
ldap_back_dobind_int: DN="uid=test,ou=tech,dc=local" without creds, binding
anonymously
Simple binds must be sent without assertion.
I think I missed something to trigger proxy authorization on the proxy side.
Here is the setup on the proxy:
dn: cn=config
objectClass: olcGlobal
cn: config
olcAuthzPolicy: to # I think it has to be configured on the backend only, this
is a try
olcAuthzRegexp:
{0}cn="[^.]*\.[Bb][0-9]{3}\.[^.]{3,5}\.([^.]{3})\.[^.]{3}\.[^,]*,ou=test,o=some,c=fr"
"uid=$1,ou=tech,dc=local" # To map the cert id of the client to a remote
account
olcLocalSSF: 256
olcLogLevel: stats stats2
olcTLSCACertificateFile: /etc/certificates/local.ca
olcTLSCertificateFile: /etc/certificates/proxy.local.crt
olcTLSCertificateKeyFile: /etc/certificates/proxy.local.key
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/openldap/libexec/openldap
olcModuleLoad: {0}argon2.la
olcModuleLoad: {1}back_ldap.la
dn: olcDatabase={2}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
olcSuffix: dc=local
olcDbURI: "ldaps://backend.local:636"
olcDbIDAssertBind:
mode=legacy
flags=prescriptive,proxy-authz-non-critical
bindmethod=sasl saslmech=EXTERNAL
tls_cacert="/etc/certificates/local.ca"
tls_cacert="/etc/certificates/proxy.local.crt"
tls_cacert="/etc/certificates/proxy.local.key"
olcDbIDAssertAuthzFrom: {0}*
olcDbRebindAsUser: FALSE
olcDbChaseReferrals: TRUE
________________________________
De : Howard Chu <[email protected]>
Envoyé : mercredi 6 août 2025 17:51
À : BECOT Jérôme <[email protected]>; openldap-technical
<[email protected]>
Objet : Re: Certificate authentication through LDAP Proxy (back_ldap)
ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez
pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne
reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
BECOT Jérôme wrote:
> Hello,
>
> We have a working setup with two mirror master and two slaves:
>
> *
> Syncrepl uses a certificate on each node to fetch data, with an
> olcAuthzRegexp rule to map it to a DSA (simpleSecurityObject).
> *
> Client SSSD servers also use a dedicated certificate to authenticate on
> the slaves, with another olcAuthzRegexp to map them to a "per project" DSA.
> *
> We use different ACL on the main db because some DSA have privileged
> access to some branches
>
>
> We want to expose data on another subnets through proxies, and cyber ask to
> use OpenLDAP with back_ldap.
>
> How should we configure them to use client certificate authentication to the
> backend slaves ?
back-ldap cannot use the client's certificates on the backend slaves. All you
can do is configure
back-ldap to use proxy authorization to assert the client's identity on its
connections to the
backends. back-ldap itself can use its own certificate or any other
authentication method to
authenticate itself to the backends, and then proxy authorize on behalf of the
clients.
>
> Any thoughts appreciated
> Regards
> Jerome
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
