Hello -

I seem to have run into a bit of a roadblock with my configuration.  I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization.  I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP.  Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri.

>From man slapd-ldap(5) I see the following:

acl-bind
...
              This  identity  is by no means implicitly used by the proxy when
              the client connects  anonymously.   The  idassert-bind  feature,
              instead,  in  some  cases  can  be  crafted  to  implement  that
              behavior, which is intrinsically unsafe and should be used  with
              extreme  care.   This  directive obsoletes acl-authcDN, and acl-
              passwd.
...

Unfortunately, I’m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated.

Any help would be welcome.

Cheers,
Dave




--
Dave Stoll
echo mac | sed 's/^/dave.stoll@/;s/$/.com/'