[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain authentication bind configuration

Dave Stoll wrote:
Hello -

I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri.

From man slapd-ldap(5) I see the following:

This identity is by no means implicitly used by the proxy when
the client connects anonymously. The idassert-bind feature,
instead, in some cases can be crafted to implement that
behavior, which is intrinsically unsafe and should be used with
extreme care. This directive obsoletes acl-authcDN, and acl-

Unfortunately, I’m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated.

Any help would be welcome.


-- Dave Stoll echo mac | sed 's/^/dave.stoll@/;s/$/.com/'

What slapd version are you on?

Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).