[Date Prev][Date Next] [Chronological] [Thread] [Top]

Subordinate Referral Credentials


We're setting up a distributed OpenLDAP service, with a "local"
root server and a "remote" server for a subtree.

When both ACLs have "access to * by * read" it all works fine.
But if I use something more reasonable, like:

access to *
	by users read
	by anonymous auth

then searches for the remote subtree fail (no error msg, just no results).
The ldapsearch command I'm using is:

ldapsearch -C -P 3 -x -LLL -S "" -b 'dc=alaska,ou=remotes,dc=dlese,dc=org' \
  -H 'ldap://localhost:3890' -D 'cn=mainAdmin,ou=people,dc=dlese,dc=org' \
  -w xxx -s sub '(cn=alaskaAdmin)' '*' '+'

This same search command does find the matching entry when
I present it directly to the remote server.

Looking at the debug log, it appears that ldapsearch -C
isn't presenting any credentials to the remote server ...

    ber_scanf fmt (m}) ber:
    >>> dnPrettyNormal: <>
    <<< dnPrettyNormal: <>, <>
    do_bind: version=3 dn="" method=128
    send_ldap_result: conn=0 op=0 p=3
    send_ldap_response: msgid=4 tag=97 err=0
    ber_flush: 14 bytes to sd 7
    do_bind: v3 anonymous bind

Is there a way to force ldapsearch to present credentials
to the remote server?

Many thanks!