On 02/28/2014 11:00 AM, theedgeu2@live.com wrote:
Full_Name: Angel Martinez Version: 2.4.39 OS: Red Hat Linux 6.4 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (217.71.18.36)
I'm trying to configure a LDAP proxy with slapd-meta.
I have several suffixs over several instances that shares the same user accounts. It's posible that one user had access to several targets.
The targets are:
Users: ou=users, dc=test, dc=com (here resides all accounts)
Target1: ou=target1, dc=test, dc=com
Target2: ou=target2, dc=test, dc=com
These 3 suffix are on 3 differents instances.
The instances where target1 and target2 are also have another suffix: ou=users, dc=test, dc=com. This suffix is replicated from the first instance (Users)
Normally, the users connect throught the proxy, but sometimes will connect directly to the others instances.
Basically this is the slapd.conf of the proxy:
database meta chase-referrals yes rebind-as-user yes
suffix "ou=users,dc=test,dc=com" uri "ldap://192.168.1.34:3891/ou=users,dc=test,dc=com"
suffix "ou=target1,dc=test,dc=com" uri "ldap://192.168.1.34:3892/ou=target1,dc=test,dc=com"
suffix "ou=target2,dc=test,dc=com" uri "ldap://192.168.1.34:3893/ou=target2,dc=test,dc=com"
When a user connects to the proxy with cn=user1,ou=users,dc=test,dc=com, the user is validated against the first target (ou=users) and can search over this suffix, but if this user try to search something over other target (for example ou=target1) the proxy does not use the credentials of the user and do an anonymous bind to target1, so the search doesn't run.
I thought that rebind-as-user resolve this but doesn't run.
I've tried using idassert-bind mode=self bindmethod=simple binddn="cn=adminuser,ou=users,dc=test,dc=com" credentials="password" and runs ok, but I prefer not to use an administrative account to connect the proxy with the targets.
Is there something I'm missing?
Yes, you did not read slapd-meta(5) man page. rebind-as-user is used in a totally different context. What you need is idassert-bind.
Please direct further conversation to openldap-technical@openldap.org. This ITS will be closed.
p.