[Date Prev][Date Next]
Re: (ITS#7807) rebind-as-user in slapd-meta not running
On 02/28/2014 11:00 AM, firstname.lastname@example.org wrote:
> Full_Name: Angel Martinez
> Version: 2.4.39
> OS: Red Hat Linux 6.4
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (188.8.131.52)
> I'm trying to configure a LDAP proxy with slapd-meta.
> I have several suffixs over several instances that shares the same user
> accounts. It's posible that one user had access to several targets.
> The targets are:
> * Users: ou=users, dc=test, dc=com (here resides all accounts)
> * Target1: ou=target1, dc=test, dc=com
> * Target2: ou=target2, dc=test, dc=com
> These 3 suffix are on 3 differents instances.
> The instances where target1 and target2 are also have another suffix: ou=users,
> dc=test, dc=com. This suffix is replicated from the first instance (Users)
> Normally, the users connect throught the proxy, but sometimes will connect
> directly to the others instances.
> Basically this is the slapd.conf of the proxy:
> database meta
> chase-referrals yes
> rebind-as-user yes
> suffix "ou=users,dc=test,dc=com"
> uri "ldap://192.168.1.34:3891/ou=users,dc=test,dc=com"
> suffix "ou=target1,dc=test,dc=com"
> uri "ldap://192.168.1.34:3892/ou=target1,dc=test,dc=com"
> suffix "ou=target2,dc=test,dc=com"
> uri "ldap://192.168.1.34:3893/ou=target2,dc=test,dc=com"
> When a user connects to the proxy with cn=user1,ou=users,dc=test,dc=com, the
> user is validated against the first target (ou=users) and can search over this
> suffix, but if this user try to search something over other target (for example
> ou=target1) the proxy does not use the credentials of the user and do an
> anonymous bind to target1, so the search doesn't run.
> I thought that rebind-as-user resolve this but doesn't run.
> I've tried using idassert-bind mode=self bindmethod=simple
> binddn="cn=adminuser,ou=users,dc=test,dc=com" credentials="password" and runs
> ok, but I prefer not to use an administrative account to connect the proxy with
> the targets.
> Is there something I'm missing?
Yes, you did not read slapd-meta(5) man page. rebind-as-user is used in
a totally different context. What you need is idassert-bind.
Please direct further conversation to <email@example.com>.
This ITS will be closed.
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano