Re: slapd.conf for proxy to AD

[Pierangelo Masarati <masarati@aero.polimi.it>]

Buchan Milne wrote:
> On Wednesday, 9 February 2011 01:13:38 masarati@aero.polimi.it wrote:
>
> > As far as I recall, what you need is not possible.  You can:
> >
> > - have authenticated users proxied with their identity asserted, or
> >
> > - all users, including unauthenticated ones auth'd as a fixed identity
> >
> > but not both.  Please note that you're asking OpenLDAP's slapd to bridge
> > the gap between two broken pieces of code: clients that cannot be
> > configured to bind,
>
> Because the OP wants to have anonymous access for some clients of the proxy 
> does not necessarily mean the software is broken, there could be 
> organisational reasons (e.g. AD administrator not prepared to create multiple 
> proxy accounts for different applications).
>
> > and AD that cannot be configured to accept anonymous
> > requests (AFAIK).
>
> Again, AD can be configured to allow anonymous binds, but AFAIK as of Windows 
> 2003, it is disabled by default, and many AD security standards (used by e.g. 
> financial auditing companies in their IT auditing) mandate that it not be 
> enabled.
>
> > Feel free to suggest an enhancement that allows to
> > handle this scenario, though.
>
> IMHO, it would make sense to support this mode of operation.

This feature is already supported: the OP could configure a proxy for 
auth'd users, and another proxy for clients binding anonymously, and 
point each client to the most appropriate proxy.  If an organization's 
configuration can tolerate the complexity of one proxy to workaround 
what I still believe be broken software, it can tolerate the complexity 
of two proxies.  Tthe fact that one needs to add a piece of software to 
break rules makes the whole system broken, since rules are violated 
anyway, so I'd find it easier to eliminate to-be-broken rules in the 
first place.

p.