*** Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email ***
I have moved local users into a seperate branch of the local DIT, set idassert-authzFrom to this branch and set the 'non-prescriptive' flag on the targets.
With this config, remote users can bind correctly to a target. If another target is in the scope of the query, openldap will attempt to bind with no credentials. This behaviour is fine.
If the root user binds to the local database, openldap will use bind to all targets in scope with the full idassert credentials.
If a local user (but not root) binds to the local database, openldap uses the idassert dn to bind, but does not supply a password. This is now the problem, as most of my targets require a successful bind in order to perform queries.
Thanks,
Drew
Andrew Graham ICT AgustaWestland UK Tel No: +44 (0) 1935 70 4421 andrew.graham@agustawestland.com
Pierangelo Masarati ando@sys-net.it 25/07/2008 10:59 >>>
I've been racking my brains trying to understand the syntax of idassert-bind.
In my current setup I have a local bdb database with some users and the base entry for the tree. I have a meta database that is subordinate to the bdb database.
If I bind to the proxy as root, and search for anything, with any base (within the tree) openldap will bind to the relevant targets using the credentials defined in the idassert-bind directives.
If I bind to the proxy as a user that exists locally (within the bdb database) but not in any of the targets, openldap will bind to the targets anonymously using the dn defined in idassert-bind but no password.
If I bind to the proxy as a user that exists in one of the targets, it will bind to that target with the supplied credentials, and bind anonymously using the dn defined in idassert-bind to all other targets within scope.
Ideally, I would like the following situation:
If a user binds with local credentials, openldap should bind to the targets with the credentials supplied with idassert-bind.
If a user binds with remote credentials, openldap should bind to
that
target with the credentials supplied by the user, and either bind to the other targets using the pre-defined credentials OR not attempt to bind to those targets.
If I get your wishes correctly, you should work at the idassert-authzFrom level to only enable identity assertion for local users, disabling it for remote users. You may need to set "non-prescriptive" in order to allow non-authorized users to connect anonymously.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
*** Disclaimer *** The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful.
If received in error please return to sender immediately.
Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.
Westland Helicopters Ltd Lysander Road Yeovil BA20 2YB England
Registered in England under No 604352