Re: Meta Idassert-bind

[Pierangelo Masarati <ando@sys-net.it>]

> I've been racking my brains trying to understand the syntax of
> idassert-bind. 
> 
> In my current setup I have a local bdb database with some users and
> the
> base entry for the tree. I have a meta database that is subordinate
> to
> the bdb database. 
> 
> If I bind to the proxy as root, and search for anything, with any
> base
> (within the tree) openldap will bind to the relevant targets using
> the
> credentials defined in the idassert-bind directives. 
> 
> If I bind to the proxy as a user that exists locally (within the bdb
> database) but not in any of the targets, openldap will bind to the
> targets anonymously using the dn defined in idassert-bind but no
> password.  
> 
> If I bind to the proxy as a user that exists in one of the targets,
> it
> will bind to that target with the supplied credentials, and bind
> anonymously using the dn defined in idassert-bind to all other
> targets
> within scope.
> 
> Ideally, I would like the following situation:
> 
> If a user binds with local credentials, openldap should bind to the
> targets with the credentials supplied with idassert-bind. 
> 
> If a user binds with remote credentials, openldap should bind to that
> target with the credentials supplied by the user, and either bind to
> the
> other targets using the pre-defined credentials OR not attempt to
> bind
> to those targets.

If I get your wishes correctly, you should work at the idassert-authzFrom level to only enable identity assertion for local users, disabling it for remote users.  You may need to set "non-prescriptive" in order to allow non-authorized users to connect anonymously.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------