I've been racking my brains trying to understand the syntax of idassert-bind.
In my current setup I have a local bdb database with some users and the base entry for the tree. I have a meta database that is subordinate to the bdb database.
If I bind to the proxy as root, and search for anything, with any base (within the tree) openldap will bind to the relevant targets using the credentials defined in the idassert-bind directives.
If I bind to the proxy as a user that exists locally (within the bdb database) but not in any of the targets, openldap will bind to the targets anonymously using the dn defined in idassert-bind but no password.
If I bind to the proxy as a user that exists in one of the targets, it will bind to that target with the supplied credentials, and bind anonymously using the dn defined in idassert-bind to all other targets within scope.
Ideally, I would like the following situation:
If a user binds with local credentials, openldap should bind to the targets with the credentials supplied with idassert-bind.
If a user binds with remote credentials, openldap should bind to that target with the credentials supplied by the user, and either bind to the other targets using the pre-defined credentials OR not attempt to bind to those targets.
If I get your wishes correctly, you should work at the idassert-authzFrom level to only enable identity assertion for local users, disabling it for remote users. You may need to set "non-prescriptive" in order to allow non-authorized users to connect anonymously.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------