[Date Prev][Date Next]
Re: slapd-ldap and authentication
Jonathan Clarke wrote:
> However, when you bind to the NSS database, then search on the
> addressbook database, you don't appear to have performed a bind with
> an identity on the addressbook database, so slapd-ldap just assumes
> the anonymous identity.
Ah, yes. That sounds reasonable.
> Basically, the server has no way of knowing that it can trust your
> bind from the NSS database.
Sure, but as the databases reside on the same backend server, it might
just give it a try and leave the decision to the backend server. This
would not make sense (and introduce a security breach) with different
backend servers of course. Maybe this could be considered a valid
feature request for a future release. (Or maybe this just doesn't work
out as I think it does.)
> The idassert-bind configuration may be of help to you
Thanks, I gave it a try with no success. Think I'll just have to read up
more on this stuff. Meanwhile I "fixed" my setup by configuring the
proxy to forward everything below "dc=sipwise,dc=com" to the backend
server. So the proxy now thinks "dc=nss" and "dc=addressbook" are within
the same database.
Thanks again and best regards,