Full_Name: Javier Sanz Version: 2.4.17 OS: Debian Linux 5.0 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (80.38.203.12)
back_ldap and back_meta should be able to do a non-anonymous bind to the referrals returned by the external LDAP servers.
This is a regression since 2.3, because the old directives "pseudorootdn" and "pseudorootpw" allowed specifying the binddn and password that would be used to chase the referrals, but their 2.4 replacements "idassert-bind" and "idassert-authzFrom" do not allow that, so these binds are always done anonymously.
Back-ldap seems to work as expected if you set
chase-referrals yes rebind-as-user yes idassert-bind bindmethod=simple binddn=<dn> credentials=<cred> mode=self
and binddn <dn> with credentials <cred> exists on both the remote server and the one pointed to by the referral.
With back-meta, it should work with the same parameters; however, I've checked and the specific code used to bind during searches does not set the rebind procedure correctly. I've fixed this in HEAD, please test.
Thanks, p.