[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap proxy to AD with local ACLs


it is me again regarding the ldap-backend.

As told, I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy. The Proxy is used by a VPN gateway.

That all works very well. But now, I want to protect the AD from modifying.
Only password changes from the user by self should be allowed.

But as I see or understand, ACLs from a backend are used, AFTER the
result from remote LDAP (AD) are coming back?! See second sentence
from http://www.openldap.org/faq/data/cache/532.html:

"It allows the common configuration directives as suffix, which is
used to select it when a request is received by the server, *ACLs,
which are applied to search results*, size and time limits, and so on.

So is it (and how is it) possible, to "switch" the ldap-backend in
"read only mode" and only pass the the password change (modify:

Thanks Meike