Re: LDAP proxy for AD
Lynn York wrote:
When I issue "id user" from the client machine I can see
the connection to
the proxy server, but I do not see the connection from the proxy to the AD
server. It also binds anonymously through the proxy and I need it to bind
with a certain user.
[ SNIPPET FROM slapd.conf ]
database ldap
suffix "dc=ldaptest,dc=local"
uri "ldap://2008vm1.inetu.net"
acl-bind bindmethod=simple
binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local"
credentials="testing"
idassert-bind bindmethod=simple
authzID="u:bind"
mode=self
binddn="CN=Bind User,CN=Users,DC=ldaptest,DC=local"
credentials="testing"
First of all, authzID is only useful if "mode" is not given, as
specified in the man page; it's ignored in your case.
Second, the idassert-bind directive is only honored if the user
authenticates, while your application is probably binding anonymously to
the proxy.
If you want idassert to work also for anonymous operations (not
recommended, as this defeats the security model of the remote server, by
letting it believe that the proxy authenticated users while it didn't),
you need to explicitly enable it using an idassert-authzFrom rule that
includes anonymous, like
idassert-authzFrom "dn.regex:.*"
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------