After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it
looks like the bindings to the referrals of the external LDAP servers
are no longer being made using the authentication information
specified in pseudorootdn and pseudorootpw, but are being made
anonymously. I have a backend meta that encapsulates a local LDAP
server and some remote ones, mainly Active Directory ones not under my
control. It also has a pcache overlay. Until now, pseudoroot* auth.
info. was used both when binding to Active Directories and when
chasing their referrals, but now it is only being used to bind to the
ADs and the binds to their referrals are being made anonymously.
Is that behavior still supported?. When slapd starts, it prints:
line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use
"idassert-bind" and "idassert-authzFrom" instead.
But slapd starts correctly. Does that mean that the directive works as
it used to but it will be removed in the future, or that its
functionality is deactivated until the user replaces it with
If it is the former, then the problem should be related to some other
change between 2.3 and 2.4, what could it be?.
If it is the later and pseudorootdn must be replaced with
ideassert-bind, I have tried it with all kinds of modes (none, self,
legacy), flags, and different idassert-authzFrom's,
with no sucess.
I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried
upgrading to 2.4.17 with the same results. Bindings from clients to my
server are always done using the same DN (rootdn).
It has been some days now since I started looking into this, so any
help is greatly appreciated.
Here is the relevant config:
loglevel config stats stats2
access to * by * write