Shane wrote:
Hopefully someone will correct me if I'm wrong but as far as I'm aware you cannot log in as an ou object.
You can login with __ANY__ DN, provided you configure your server to authenticate that identity. As per how to do that, there are innumerable ways (SASL in the first place, but adding a userPassword to an organizationalUnit, which is an allowed attribute, allows simple bind as well). Also, identities in ACL do not imply the capability to bind with that DN, since proxyAuthz allows, as permitted by appropriate mechanisms, to assume any DN for the duration of an operation. Technically, the code does not pose any limit that is not a violation of the specifications; it's up to the administrator to limit what is possible and what is not.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------