Actually I would not trust any software that sends passwords unencrypted over the wire today (maybe localhost connections excepted). Do you have specific reasons not to use an encrypted connection? It's non-obvious what you actually want to do. Maybe an X-Y-problem (https://en.wikipedia.org/wiki/XY_problem)?
Kind regards, Ulrich Windl
-----Original Message----- From: Fred N fred750164@gmail.com Sent: Thursday, May 1, 2025 11:20 PM To: openldap-technical@openldap.org Subject: [EXT] Re: RE: ldap proxy
Hello,
I’m trying to set up an OpenLDAP architecture where a client connects to a proxy using an unencrypted connection with a simple bind (e.g., via ldapsearch), and the proxy then connects securely to a backend LDAP server using TLS client certificate authentication via SASL EXTERNAL.
Here is what I’m aiming for: • The client uses simple bind over ldap:// to connect to the proxy. • The proxy should ignore the client’s bind credentials and use its own certificate to connect to the backend via ldaps:// or ldap+starttls:// using SASL EXTERNAL. • The backend uses authz-regexp rules to map the proxy’s certificate DN to a local identity, which is authorized to perform the search on behalf of the client.
I’ve tested this setup with OpenLDAP versions 2.4, 2.5, and 2.6 but have not been able to make it work.
I gave a configuration in my first message and I tried several configurations but I always come back to this one when I read the docs or look at the forums
Regards