Re: back-ldap configuration

[Pierangelo Masarati <masarati@aero.polimi.it>]

Jubal Kessler wrote:
> 
> Hi,
> 
> What's the proper way to set up back-ldap to perform simple
> authentication? Whatever I'm doing doesn't seem to work.
> My slapd.conf's back-ldap section is:
> 
> database        ldap
> suffix          "dc=server,dc=com"
> uri             "ldap://target.server.com";



> binddn          "cn=Manager,dc=server,dc=com"
> bindpw          "temp-passwd"

^^^ This is NOT the rootdn (which is simply ignored by back-ldap
    as shipped with REL_ENG) so it does NOT represent a user that
    has any special administrative rights.  It is used INTERNALLY
    by back-ldap to perform administrative queries to the target
    server mainly related to accessing ACL related attributes.
    If you don't want the target to allow anonymous bind, then try 
    to bind to the proxy with a valid user, which means a user 
    that's valid on the target server.  You don't need binddn/bindpw
    unless you plan to use extra ACLs on the proxy.

> lastmod         off
> 
> When I perform a query, it is routed via back-ldap to the target
> server, but no results are returned. If I enable anonymous read in
> the target server's ACL, then it works. But that defeats the purpose
> of using simple authentication here.
> 
> the binddn of "cn=Manager,dc=server,dc=com" does not exist in the
> target server's database, but it *does* exist in the target server's
> slapd.conf. Does this matter?

Yes.  That suffices.  The only point is that the target server must 
accept the binddn as a user that grants READ (and SEARCH, I guess)
access to the entries and the attributes that are used in ACLs on 
the proxy.

-- 
Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   |
http://www.aero.polimi.it/~masarati