Hi again,

I understand that was a pretty specific question, so I'm going to try to make it a bit more general:

- Is it possible to specify the autentication slapd should use when chasing referrals of external LDAP servers?


On Fri, Sep 24, 2010 at 2:00 PM, Javier Sanz <jsceballos@gmail.com> wrote:

After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it
looks like the bindings to the referrals of the external LDAP servers
are no longer being made using the authentication information
specified in pseudorootdn and pseudorootpw, but are being made
anonymously.  I have a backend meta that encapsulates a local LDAP
server and some remote ones, mainly Active Directory ones not under my
control. It also has a pcache overlay.  Until now, pseudoroot* auth.
info. was used both when binding to Active Directories and when
chasing their referrals, but now it is only being used to bind to the
ADs and the binds to their referrals are being made anonymously.

Is that behavior still supported?. When slapd starts, it prints:

line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use
"idassert-bind" and "idassert-authzFrom" instead.

But slapd starts correctly. Does that mean that the directive works as
it used to but it will be removed in the future, or that its
functionality is deactivated until the user replaces it with

If it is the former, then the problem should be related to some other
change between 2.3 and 2.4, what could it be?.

If it is the later and pseudorootdn must be replaced with
ideassert-bind, I have tried it with all kinds of modes (none, self,
legacy), flags, and different idassert-authzFrom's,
with no sucess.

I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried
upgrading to 2.4.17 with the same results. Bindings from clients to my
server are always done using the same DN (rootdn).

It has been some days now since I started looking into this, so any
help is greatly appreciated.

Here is the relevant config:

loglevel config stats stats2

modulepath /usr/lib/ldap
moduleload back_bdb
moduleload back_ldap
moduleload back_meta
moduleload pcache
allow update_anon
access to * by * write

database meta
suffix "dc=myldap,dc=local"
rootdn "cn=manager,dc=myldap,dc=local"
rootpw "passwd"
chase-referrals yes
rebind-as-user no
dncache-ttl forever
network-timeout 5
nretries 5
idle-timeout 5m
pseudoroot-bind-defer yes
overlay pcache
(...cache options..)

uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local"
suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com"

pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com"
pseudorootpw windowsadminpasswd


Un saludo,