Hello,

I've setup a simple proxy so that local LDAP clients can get access to protected attributes on a remote server. My proxy is slapd 2.4.31 with this slapd.conf:

include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none
modulepath      /usr/lib/ldap
moduleload      back_ldap
sizelimit 500
tool-threads 1
backend ldap
database ldap
suffix "dc=company,dc=com"
uri ldap://ldap.company.com:389
idassert-bind bindmethod=simple
binddn="uid=my_id,ou=my_dept,dc=company,dc=com"
credentials="mypass"
authcId="dn:uid=my_id,ou=my_dept,dc=company,dc=com"
mode=legacy

ldap.company.com permits the my_id DN to access privileged attributes that anonymous users cannot. I can run ldapsearch against ldap.company.com with simple auth, binding as my_id, and view the privileged attributes.

ldapsearch -H ldap://ldap.company.com:389 -LLL -x \
  -b ou=users,dc=company,dc=com \
  -W -D uid=my_id,ou=my_dept,dc=company,dc=com \
  "(uid=12345)"

When I run ldapsearch against my proxy slapd with the above slapd.conf however...

ldapsearch -H ldap://myproxy.company.com:389 -LLL -x \
  -b ou=users,dc=company,dc=com \
  "(uid=12345)"

... a packet trace shows that slapd is connecting to ldap.company.com without binding as my_id:

LDAPMessage bindRequest(1) "<ROOT>" simple
  messageID: 1
  protocolOp: bindRequest (0)
    bindRequest
      version: 3
      name:
      authentication: simple (0)
        simple: <MISSING>

As a result I do not see the privileged attributes.

Based on the docs, I've chosen mode=legacy because I'd like for the proxy to "perform a simple bind as the authcDN ... and assert the client's identity when it is not anonymous."

I've also tried following the advice at http://www.openldap.org/faq/data/cache/532.html which states:

If no authzID is given, and mode is set to none (for instance because the remote server does not support the proxyAuthz control), the clients will be authorized as "cn=Proxy,dc=example,dc=com" even if they actually connected anonymously to the proxy. 

yielding:

idassert-bind bindmethod=simple
binddn="uid=my_id,ou=my_dept,dc=company,dc=com"
credentials="mypass"
mode=none

But an ldapsearch of my proxy then reports "Inappropriate authentication (48)" which I don't understand because client-to-proxy and proxy-to-remote all use simple auth.

What am I doing wrong? Any advice is greatly appreciated!

Ryan