Jonathan Clarke wrote:
However, when you bind to the NSS database, then search on the addressbook database, you don't appear to have performed a bind with an identity on the addressbook database, so slapd-ldap just assumes the anonymous identity.
Ah, yes. That sounds reasonable.
Basically, the server has no way of knowing that it can trust your bind from the NSS database.
Sure, but as the databases reside on the same backend server, it might just give it a try and leave the decision to the backend server. This would not make sense (and introduce a security breach) with different backend servers of course. Maybe this could be considered a valid feature request for a future release. (Or maybe this just doesn't work out as I think it does.)
The idassert-bind configuration may be of help to you
Thanks, I gave it a try with no success. Think I'll just have to read up more on this stuff. Meanwhile I "fixed" my setup by configuring the proxy to forward everything below "dc=sipwise,dc=com" to the backend server. So the proxy now thinks "dc=nss" and "dc=addressbook" are within the same database.
Thanks again and best regards, daniel