[Date Prev][Date Next]
Re: Meta Idassert-bind
> I've been racking my brains trying to understand the syntax of
> In my current setup I have a local bdb database with some users and
> base entry for the tree. I have a meta database that is subordinate
> the bdb database.
> If I bind to the proxy as root, and search for anything, with any
> (within the tree) openldap will bind to the relevant targets using
> credentials defined in the idassert-bind directives.
> If I bind to the proxy as a user that exists locally (within the bdb
> database) but not in any of the targets, openldap will bind to the
> targets anonymously using the dn defined in idassert-bind but no
> If I bind to the proxy as a user that exists in one of the targets,
> will bind to that target with the supplied credentials, and bind
> anonymously using the dn defined in idassert-bind to all other
> within scope.
> Ideally, I would like the following situation:
> If a user binds with local credentials, openldap should bind to the
> targets with the credentials supplied with idassert-bind.
> If a user binds with remote credentials, openldap should bind to that
> target with the credentials supplied by the user, and either bind to
> other targets using the pre-defined credentials OR not attempt to
> to those targets.
If I get your wishes correctly, you should work at the idassert-authzFrom level to only enable identity assertion for local users, disabling it for remote users. You may need to set "non-prescriptive" in order to allow non-authorized users to connect anonymously.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497