I am using OpenLDAP as the credential backend to an SSO solution. The SSO software attempts a simple BIND with the user DN and the password supplied by the user. This all works as intended.

However, there are some legacy web applications that pre-date our SSO solution that use direct LDAP authentication. That is, the web application collects the user password from a form submission, and then it makes its own BIND attempt with the user DN and supplied password.

These legacy apps have legitimate reasons to connect to our LDAP service for non-authentication purposes.

Is there a way that I can prevent BINDs for normal user DNs from any source other than the SSO software? Network-based solutions do not seem to be an option because all these applications have their private IP addresses assigned dynamically.

I had tried setting up access control rules to only allow the "auth" access level to unprivileged user entries by already authenticated users, but that doesn't seem to work. In the OpenLDAP logs, I see the privileged BIND is successful. However, when issuing a second BIND for the unprivileged user, OpenLDAP first logs:

BIND anonymous mech=implicit bind_ssf=0 ssf=0

and then the subsequent normal user BIND fails, as anonymous BINDs are not allowed for those entries. I'm not sure if this is part of the LDAP protocol or due to the LDAP client I am using, or something related to the OpenLDAP service. I have tried 2 different clients with similar results.

Is my approach to this issue technically possible? Are there other solutions?

Thanks, Carl Waldbieser ITS Lafayette College