I'm trying to use OpenLDAP as a proxy. I want it to bind to the remote LDAP server with a fixed dn, and use that dn for searches. This way, any dn binding to the proxy (even anonymously) could see objects and attributes that the dn used to bind to the real LDAP server can see.
This is discussed in slapd-ldap(5) man page. See the "idassert-bind" statement.
My problem is that it seems that the proxy does not bind to the remote server (in other words, it binds anonymously), just forwards searches, which fail this way, because the remote server requires authentication. The binddn and bindpw configuration options are correct, I can use ldapsearch to retrieve objects directly from the remote server.
Looking at the network traffic, I can't see the proxy attempting to bind using the dn given in the binddn option.
Then you didn't read the man page. The "binddn" statement specifies a DN for a very specific purpose, which is not the one you are trying to obtain.
Here is the relevant part of my slapd.conf:
== database ldap suffix dc=company,dc=local chase-referrals no lastmod off uri ldap://remotehost binddn <binddn> bindpw <bindpw> ==
Is it possible to configure back-ldap this way?
With OpenLDAP 2.3, yes. But not with the above configuration. See slapd-ldap(5).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------