Problems using idassert-bind

["michel.gruau" <michel.gruau@laposte.net>]

Hello,

A have a slapd-meta configuration with 6 backend directories. All of them can be accessed anonymously except One of them need that need to be accessed through a technical account.

This technical must be used whatever the proxy bind DN is:
- anonymous
- user account
- manager account (cn=Manager,dc=example,dc=com)

Below is my test configuration:
database meta
suffix dc=example,dc=com
uri ldap://remote:389/dc=example,dc=com
idassert-bind bindmethod=simple
ÂÂÂÂÂÂÂÂÂÂÂÂÂ binddn="uid=tech,dc=example,dc=com" 
ÂÂÂÂÂÂÂÂÂÂÂÂÂ credentials="password"

As no anonymous access were allowed, I had to add the following line:
idassert-authzFrom "dn.regex:.*"

This configuration allowed me to perform an anonymous search but the technical account were not used when connecting to the remote directory (anonymous account were used instead).

I then tested "mode=self" and "mode=anonymous". But I received "protocol error" from the remote server when performing an anonymous search (search using user account and search using manager account were working).

I managed to make it working using "mode=none". As the technical account were still not used when connecting to the proxy with a user account, I finally add the "flag=override".

This latest configuration looks good to me but I have to questions :

1/ Do you confirm that "none" is the rigth mode for my need ?

2/ Do you now why I cannot use "self" and "anonymous" ? What could be the reason why I receive the "protocol error" using mode=none and mode=self ?

FYI, remote server is a Sun One DS 5.2. I don't know whether it could explain.

Thank you very much for your expertise.

Michel


Une messagerie gratuite, garantie à vie et des services en plus, Ãa vous tente ?
Je crÃe ma boÃte mail www.laposte.net