BECOT Jérôme wrote:
> Thank you Howard for your short answer. That confirms what I though. I still
> have an issue to make it work. I've try a lot of different setup and I don't
> make
> the proxy use the idassert-bind parameters. All of my tests sends the
> authentication information directly to the backend:
>
> *
> simple binds
> *
> anonymous binds
> *
> sasl with certificate binds
>
>
> I can read the following message into the proxy's logs with SASL:
> ldap_back_dobind_int: DN="uid=test,ou=tech,dc=local" without creds, binding
> anonymously
> Simple binds must be sent without assertion.
>
> I think I missed something to trigger proxy authorization on the proxy side.
You're using mode=legacy, which relies on authcID being configured. Since
you're using
SASL/EXTERNAL and a certificate, you can just set this to a dummy value. You
should also
set authz=native since you can use SASL proxy authorization and don't need the
proxyauthz control.
You also have an obvious error in the TLS config below.
>
> Here is the setup on the proxy:
>
> dn: cn=config
> objectClass: olcGlobal
> cn: config
> *olcAuthzPolicy*: to # I think it has to be configured on the backend only,
> this is a try
> *olcAuthzRegexp*:
> {0}cn="[^.]*\.[Bb][0-9]{3}\.[^.]{3,5}\.([^.]{3})\.[^.]{3}\.[^,]*,ou=test,o=some,c=fr"
> "uid=$1,ou=tech,dc=local" # To map the cert id of the
> client to a remote account
> olcLocalSSF: 256
> olcLogLevel: stats stats2
> olcTLSCACertificateFile: /etc/certificates/local.ca
> olcTLSCertificateFile: /etc/certificates/proxy.local.crt
> olcTLSCertificateKeyFile: /etc/certificates/proxy.local.key
>
> dn: cn=module{0},cn=config
> objectClass: olcModuleList
> cn: module{0}
> olcModulePath: /usr/local/openldap/libexec/openldap
> olcModuleLoad: {0}argon2.la
> olcModuleLoad: {1}back_ldap.la
>
> dn: olcDatabase={2}ldap,cn=config
> objectClass: olcDatabaseConfig
> objectClass: olcLDAPConfig
> olcDatabase: {2}ldap
> olcSuffix: dc=local
> olcDbURI: "ldaps://backend.local:636"
> olcDbIDAssertBind:
> mode=legacy
> flags=prescriptive,proxy-authz-non-critical
> bindmethod=sasl saslmech=EXTERNAL
> tls_cacert="/etc/certificates/local.ca"
> tls_cacert="/etc/certificates/proxy.local.crt"
> tls_cacert="/etc/certificates/proxy.local.key"
You've set tls_cacert 3 times. You need to set cert and key.
> olcDbIDAssertAuthzFrom: {0}*
> olcDbRebindAsUser: FALSE
> olcDbChaseReferrals: TRUE
> ----------------------------------------------------------------------------------------------------------------------------------------------------------------
> *De :* Howard Chu <h...@symas.com>
> *Envoyé :* mercredi 6 août 2025 17:51
> *À :* BECOT Jérôme <jbe...@itsgroup.com>; openldap-technical
> <openldap-technical@openldap.org>
> *Objet :* Re: Certificate authentication through LDAP Proxy (back_ldap)
>
> ATTENTION : Cet e-mail provient de l'extérieur de l'organisation. Ne cliquez
> pas sur les liens et n'ouvrez pas les pièces jointes à moins que vous ne
> reconnaissiez l'expéditeur et que vous sachiez que le contenu est sûr.
>
> BECOT Jérôme wrote:
>> Hello,
>>
>> We have a working setup with two mirror master and two slaves:
>>
>> *
>> Syncrepl uses a certificate on each node to fetch data, with an
>>olcAuthzRegexp rule to map it to a DSA (simpleSecurityObject).
>> *
>> Client SSSD servers also use a dedicated certificate to authenticate on
>>the slaves, with another olcAuthzRegexp to map them to a "per project" DSA.
>> *
>> We use different ACL on the main db because some DSA have privileged
>>access to some branches
>>
>>
>> We want to expose data on another subnets through proxies, and cyber ask to
>> use OpenLDAP with back_ldap.
>>
>> How should we configure them to use client certificate authentication to the
>> backend slaves ?
>
> back-ldap cannot use the client's certificates on the backend slaves. All you
> can do is configure
> back-ldap to use proxy authorization to assert the client's identity on its
> connections to the
> backends. back-ldap itself can use its own certificate or any other
> authentication method to
> authenticate itself to the backends, and then proxy authorize on behalf of
> the clients.
>>
>> Any thoughts appreciated
>> Regards
>> Jerome
>>
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
