Hi all, I'm building an openldap proxy to an AD server and adding a little of "intelligence" based on the client request.
Unfortunately the client/program asking information about an account, need to be setup with user and password. There is a way to let the proxy "ignore" this user and password and instead just use the ones specified on the slapd.conf file ? Or setup fake credential somewhere ?
In detail, query are something like:
ldapsearch -x -h openldap-proxy -w "secret" -D "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int" userPrincipalName=TST-USER10
but I need that the proxy exclude the "-w "secret" -D "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" part, and use the one on the conf file. In fact if I do a query like:
ldapsearch -x -h openldap-proxy -w "secret" -D "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int" userPrincipalName=TST-USER10 it works.
Here the slapd.conf
database meta suffix "dc=pmm,dc=int"
uri "ldap://10.10.10.1/dc=pmm,dc=int" suffixmassage "dc=pmm,dc=int" "dc=media,dc=int"
rewriteContext searchFilter rewriteRule "userPrincipalName=(.*)@rtsi.ch" "userPrincipalName=%1@rsi.ch" ":" rewriteRule "sAMAccountName=([:alnum:])" "userPrincipalName=%1@rtr.ch" ":"
idassert-bind bindmethod=simple
binddn="CN=svc-adread05,CN=AdminAccounts,OU=RSI,OU=Units,DC=media,DC=int " credentials="Comano2012" mode=self idassert-authzFrom "dn.regex:.*"
Any idea ?
Many thank's and best regards.
Marco
******************************************************
Visit: http://www.rsi.ch
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify postmaster@rsi.ch