[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#6665) back_ldap and back_meta chasing referrals authentication

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#6665) back_ldap and back_meta chasing referrals authentication
From: masarati@aero.polimi.it
Date: Fri, 8 Oct 2010 20:43:37 GMT
Auto-submitted: auto-generated (OpenLDAP-ITS)

> Full_Name: Javier Sanz
> Version: 2.4.17
> OS: Debian Linux 5.0
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (80.38.203.12)
>
>
> back_ldap and back_meta should be able to do a non-anonymous bind to the
> referrals returned by the external LDAP servers.
>
> This is a regression since 2.3, because the old directives "pseudorootdn"
> and
> "pseudorootpw" allowed specifying the binddn and password that would be
> used to
> chase the referrals, but their 2.4 replacements "idassert-bind" and
> "idassert-authzFrom" do not allow that, so these binds are always done
> anonymously.

Back-ldap seems to work as expected if you set

chase-referrals         yes
rebind-as-user          yes
idassert-bind   bindmethod=simple
                binddn=<dn>
                credentials=<cred>
                mode=self

and binddn <dn> with credentials <cred> exists on both the remote server
and the one pointed to by the referral.

With back-meta, it should work with the same parameters; however, I've
checked and the specific code used to bind during searches does not set
the rebind procedure correctly.  I've fixed this in HEAD, please test.

Thanks, p.

Prev by Date: Re: (ITS#6664) Server control forwarding in back_meta and back_ldap
Next by Date: Re: (ITS#6664) Server control forwarding in back_meta and back_ldap
Index(es):
- Chronological
- Thread