Re: back-ldap: how to bind to remote server?

["Pierangelo Masarati" <ando@sys-net.it>]

> I'm trying to use OpenLDAP as a proxy. I want it to bind to the remote
> LDAP server with a fixed dn, and use that dn for searches. This way,
> any dn binding to the proxy (even anonymously) could see objects and
> attributes that the dn used to bind to the real LDAP server can see.

This is discussed in slapd-ldap(5) man page.  See the "idassert-bind"
statement.

> My problem is that it seems that the proxy does not bind to the remote
> server (in other words, it binds anonymously), just forwards searches,
> which fail this way, because the remote server requires authentication.
> The binddn and bindpw configuration options are correct, I can use
> ldapsearch to retrieve objects directly from the remote server.
>
> Looking at the network traffic, I can't see the proxy attempting to bind
> using the dn given in the binddn option.

Then you didn't read the man page.  The "binddn" statement specifies a DN
for a very specific purpose, which is not the one you are trying to
obtain.

> Here is the relevant part of my slapd.conf:
>
> ==
> database        ldap
> suffix          dc=company,dc=local
> chase-referrals no
> lastmod         off
> uri             ldap://remotehost
> binddn          <binddn>
> bindpw          <bindpw>
> ==
>
> Is it possible to configure back-ldap this way?

With OpenLDAP 2.3, yes.  But not with the above configuration.  See
slapd-ldap(5).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------