Curt Blank wrote:
Using a privileged admin type DN that is allowed auth access to the userPassword attribute along with an ACL filter statement seems like the way to go. But implementing this technique appears easier said then done.
The original thought was to bind as the privileged admin DN and then do a, for lack of a better term, sub-bind as the users DN in hopes that the original bind as the privileged admin DN would then allow this restricted authentication to succeed. Well, we have not been able to accomplish this for probably one of two reasons. We're either doing something wrong, or it's just not possible.
It's not possible.
Excerpt from RFC 4511, section 4.2.1:
Clients may send multiple Bind requests to change the authentication and/or security associations or to complete a multi-stage Bind process. Authentication from earlier binds is subsequently ignored. ^^^^^^^^^^^^^^^^^^^^^^^^
Probably I did not fully understand your use-case but using the Proxy Authorization Control might be a solution for your particular problem too.
Ciao, Michael.