Hello -
I seem to have run into a bit of a roadblock with my configuration. I am
trying to build an OpenLDAP server which uses ref: entries to chain to two
other LDAP servers for user authorization. I have been able to get
everything working fine so long as I allow anonymous binding on the servers
referenced from OpenLDAP. Unfortunately, the security folks are requesting
the OpenLDAP server to force bind credentials for the particular ldap uri.
>From man slapd-ldap(5) I see the following:
acl-bind
...
This identity is by no means implicitly used by the proxy
when
the client connects anonymously. The idassert-bind
feature,
instead, in some cases can be crafted to implement
that
behavior, which is intrinsically unsafe and should be used
with
extreme care. This directive obsoletes acl-authcDN, and
acl-
passwd.
...
Unfortunately, I¹m having a bit of difficulty finding any documentation
supporting the ability to implicitly use a particular bindDN and simple
authentication password, regardless of whether the query is anonymous or
authenticated.
Any help would be welcome.
Cheers,
Dave
--
Dave Stoll
echo mac | sed 's/^/dave.stoll(a)/;s/$/.com/'