[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#7807) rebind-as-user in slapd-meta not running

Full_Name: Angel Martinez
Version: 2.4.39
OS: Red Hat Linux 6.4
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (

I'm trying to configure a LDAP proxy with slapd-meta.

I have several suffixs over several instances that shares the same user
accounts. It's posible that one user had access to several targets.

The targets are:

* Users: ou=users, dc=test, dc=com (here resides all accounts)

* Target1: ou=target1, dc=test, dc=com

* Target2: ou=target2, dc=test, dc=com

These 3 suffix are on 3 differents instances.

The instances where target1 and target2 are also have another suffix: ou=users,
dc=test, dc=com. This suffix is replicated from the first instance (Users)

Normally, the users connect throught the proxy, but sometimes will connect
directly to the others instances.

Basically this is the slapd.conf of the proxy:

database meta
chase-referrals yes
rebind-as-user  yes

suffix   "ou=users,dc=test,dc=com"
uri      "ldap://,dc=test,dc=com";

suffix   "ou=target1,dc=test,dc=com"
uri      "ldap://,dc=test,dc=com";

suffix   "ou=target2,dc=test,dc=com"
uri      "ldap://,dc=test,dc=com";

When a user connects to the proxy with cn=user1,ou=users,dc=test,dc=com, the
user is validated against the first target (ou=users) and can search over this
suffix, but if this user try to search something over other target (for example
ou=target1) the proxy does not use the credentials of the user and do an
anonymous bind to target1, so the search doesn't run.

I thought that rebind-as-user resolve this but doesn't run.

I've tried using idassert-bind mode=self bindmethod=simple
binddn="cn=adminuser,ou=users,dc=test,dc=com" credentials="password" and runs
ok, but I prefer not to use an administrative account to connect the proxy with
the targets.

Is there something I'm missing?