[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta question

Please keep replies on the list

> Thank you very much for your answer. Especially the table was very useful!
> One last question: What does that mean that binddn/bindpw are only for
> ACL checking?

binddn/bindpw do not exist any more.  Now they're called
acl-authcDN/acl-passwd to highlight their purpose.  Essentially, any time
the meta database needs to access a remote server for administrative
purposes (e.g. to collect info about access control) it uses those
credentials.  Obviously, if the administrator of the proxy uses this
directive, it assumes that the acl-authc identity has the privilege to
read that info, so there must be a mutual agreement between the
administrator of the proxy and that of the remote server that operations
performed with that identity have to be considered "trusted"; if there's
no such agreement, the acl-authcDN/acl-passwd statements shouldn't be

In any case, those credentials are never used to replace the client's
identity.  Back-meta doesn't implement (yet?) the identity assertion
feature of back-ldap.  If you need tha feature, you should consider using
multiple instances of back-ldap glued together, to emulate some of the
functionalities of back-meta.


Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it