Jonathan Clarke wrote:
However, when you bind to the NSS database, then search on the
addressbook database, you don't appear to have performed a bind with
an identity on the addressbook database, so slapd-ldap just assumes
the anonymous identity.
Ah, yes. That sounds reasonable.
Basically, the server has no way of knowing that it can trust your
bind from the NSS database.
Sure, but as the databases reside on the same backend server, it might
just give it a try and leave the decision to the backend server. This
would not make sense (and introduce a security breach) with different
backend servers of course. Maybe this could be considered a valid
feature request for a future release. (Or maybe this just doesn't work
out as I think it does.)
The idassert-bind configuration may be of help to you
Thanks, I gave it a try with no success. Think I'll just have to read up
more on this stuff. Meanwhile I "fixed" my setup by configuring the
proxy to forward everything below "dc=sipwise,dc=com" to the backend
server. So the proxy now thinks "dc=nss" and "dc=addressbook" are
within
the same database.
Thanks again and best regards,
daniel