[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap meta + activedirectory

Dieter Kluenter wrote:

As far as I remember, back-meta passes any simple bind credentials it
receives to the remote server.

Correct. Simple binds are propagated, much like back-ldap does. I was referring to the "binddn" (and "bindpw") statement(s) in slapd-meta(5), whose usage has been often misinterpreted as the identity back-meta (and back-ldap) would use to propagate anonymous binds. To reduce the chances of misinterpretation, in HEAD/2.3 the "binddn" and "bindpw" statements have been renamed "acl-authcDN" and "acl-passwd", indicating that they're the identity back-ldap uses to access the remote server for local ACL checking purposes. Identity assertion occurs in HEAD/2.3 by means of the identity assertion mechanism, which, in some cases, may result in anonymous binds occur by way of some administrative identity, e.g. back-ldap authenticates with some administrative identity and asserts the anonymous identity by means of the proxyAuthz control. There's a variety of identity assertion policies currently implemented in back-ldap. See 2.3's slapd-ldap(5).


   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497