[Date Prev][Date Next]
Re: back_meta and referrals authentication
- To: email@example.com
- Subject: Re: back_meta and referrals authentication
- From: Javier Sanz <firstname.lastname@example.org>
- Date: Sun, 3 Oct 2010 14:05:59 +0200
- Cc: "javier.sanz" <email@example.com>
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:cc:content-type; bh=G5FFzJ5UEWMIcmhBQ6kE4+R6gMWEUgddzfFMdVFblWE=; b=jZcGAHvT4bYysyt0rqZ/Swoa8cZdOR93DhGzCyi8uZWknV9RbJQm7Zw8DD2+X9CWtz URPo7oVW1vE4in1yddeQMFaH0kApiLaQNaQZGQtlggwO0BQeu/icG5i90Oe+DX2zgXS4 WgGkv9axtDDXscNxEiWhchbMR/FthRKmX89SI=
- Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=pnCTV72ao8d0htxF8gy6+9jVPZqXQbQcd3xNK69dJdmuqpokgqnt6Es5HZ55MX21ky kR68HdFoBwXUzYjqLxCTqjJ3O4A85LMkuC95zgWiih1Ya7Gr7wwaqUMFP4ZXVlkHjzeW v+sKYcCb5ceph7Y91IVzDGq4gg1O3sYcOzNgk=
- In-reply-to: <AANLkTim+KNefd2g2WpDK_BHkK9bW7GiPPm1=RAa8BN4f@mail.gmail.com>
- References: <AANLkTim+KNefd2g2WpDK_BHkK9bW7GiPPm1=RAa8BN4f@mail.gmail.com>
I understand that was a pretty specific question, so I'm going to try to make it a bit more general:
- Is it possible to specify the autentication slapd should use when chasing referrals of external LDAP servers?
On Fri, Sep 24, 2010 at 2:00 PM, Javier Sanz <firstname.lastname@example.org>
After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it
looks like the bindings to the referrals of the external LDAP servers
are no longer being made using the authentication information
specified in pseudorootdn and pseudorootpw, but are being made
anonymously. I have a backend meta that encapsulates a local LDAP
server and some remote ones, mainly Active Directory ones not under my
control. It also has a pcache overlay. Until now, pseudoroot* auth.
info. was used both when binding to Active Directories and when
chasing their referrals, but now it is only being used to bind to the
ADs and the binds to their referrals are being made anonymously.
Is that behavior still supported?. When slapd starts, it prints:
line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use
"idassert-bind" and "idassert-authzFrom" instead.
But slapd starts correctly. Does that mean that the directive works as
it used to but it will be removed in the future, or that its
functionality is deactivated until the user replaces it with
If it is the former, then the problem should be related to some other
change between 2.3 and 2.4, what could it be?.
If it is the later and pseudorootdn must be replaced with
ideassert-bind, I have tried it with all kinds of modes (none, self,
legacy), flags, and different idassert-authzFrom's,
with no sucess.
I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried
upgrading to 2.4.17 with the same results. Bindings from clients to my
server are always done using the same DN (rootdn).
It has been some days now since I started looking into this, so any
help is greatly appreciated.
Here is the relevant config:
loglevel config stats stats2
access to * by * write
suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com"