[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-ldap and authentication

Jonathan Clarke wrote:
> However, when you bind to the NSS database, then search on the 
> addressbook database, you don't appear to have performed a bind with 
> an identity on the addressbook database, so slapd-ldap just assumes 
> the anonymous identity.

Ah, yes. That sounds reasonable.

> Basically, the server has no way of knowing that it can trust your 
> bind from the NSS database.

Sure, but as the databases reside on the same backend server, it might
just give it a try and leave the decision to the backend server. This
would not make sense (and introduce a security breach) with different
backend servers of course. Maybe this could be considered a valid
feature request for a future release. (Or maybe this just doesn't work
out as I think it does.)

> The idassert-bind configuration may be of help to you

Thanks, I gave it a try with no success. Think I'll just have to read up
more on this stuff. Meanwhile I "fixed" my setup by configuring the
proxy to forward everything below "dc=sipwise,dc=com" to the backend
server. So the proxy now thinks "dc=nss" and "dc=addressbook" are within
the same database.

Thanks again and best regards,