[Date Prev][Date Next]
Re: Chain authentication bind configuration
Dave Stoll wrote:
I seem to have run into a bit of a roadblock with my configuration. I
am trying to build an OpenLDAP server which uses ref: entries to chain
to two other LDAP servers for user authorization. I have been able to
get everything working fine so long as I allow anonymous binding on the
servers referenced from OpenLDAP. Unfortunately, the security folks are
requesting the OpenLDAP server to force bind credentials for the
particular ldap uri.
From man slapd-ldap(5) I see the following:
This identity is by no means implicitly used by the
the client connects anonymously. The idassert-bind
instead, in some cases can be crafted to implement
behavior, which is intrinsically unsafe and should be used
extreme care. This directive obsoletes acl-authcDN,
Unfortunately, I’m having a bit of difficulty finding any documentation
supporting the ability to implicitly use a particular bindDN and simple
authentication password, regardless of whether the query is anonymous or
Any help would be welcome.
echo mac | sed 's/^/dave.stoll@/;s/$/.com/'
What slapd version are you on?
T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
Open Source. Open Solutions(tm).