Hi,
After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it looks like the bindings to the referrals of the external LDAP servers are no longer being made using the authentication information specified in pseudorootdn and pseudorootpw, but are being made anonymously. I have a backend meta that encapsulates a local LDAP server and some remote ones, mainly Active Directory ones not under my control. It also has a pcache overlay. Until now, pseudoroot* auth. info. was used both when binding to Active Directories and when chasing their referrals, but now it is only being used to bind to the ADs and the binds to their referrals are being made anonymously.
Is that behavior still supported?. When slapd starts, it prints:
line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use "idassert-bind" and "idassert-authzFrom" instead.
But slapd starts correctly. Does that mean that the directive works as it used to but it will be removed in the future, or that its functionality is deactivated until the user replaces it with idassert-bind?.
If it is the former, then the problem should be related to some other change between 2.3 and 2.4, what could it be?.
If it is the later and pseudorootdn must be replaced with ideassert-bind, I have tried it with all kinds of modes (none, self, legacy), flags, and different idassert-authzFrom's, with no sucess.
I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried upgrading to 2.4.17 with the same results. Bindings from clients to my server are always done using the same DN (rootdn).
It has been some days now since I started looking into this, so any help is greatly appreciated.
Here is the relevant config:
(...includes...) loglevel config stats stats2
modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap moduleload back_meta moduleload pcache allow update_anon access to * by * write
database meta suffix "dc=myldap,dc=local" rootdn "cn=manager,dc=myldap,dc=local" rootpw "passwd" chase-referrals yes rebind-as-user no dncache-ttl forever network-timeout 5 nretries 5 idle-timeout 5m pseudoroot-bind-defer yes overlay pcache (...cache options..)
uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local" suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com"
pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com" pseudorootpw windowsadminpasswd (...maps...)
Thanks, Javier
Hi again,
I understand that was a pretty specific question, so I'm going to try to make it a bit more general:
- Is it possible to specify the autentication slapd should use when chasing referrals of external LDAP servers?
Thanks, Javier
On Fri, Sep 24, 2010 at 2:00 PM, Javier Sanz jsceballos@gmail.com wrote:
Hi,
After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it looks like the bindings to the referrals of the external LDAP servers are no longer being made using the authentication information specified in pseudorootdn and pseudorootpw, but are being made anonymously. I have a backend meta that encapsulates a local LDAP server and some remote ones, mainly Active Directory ones not under my control. It also has a pcache overlay. Until now, pseudoroot* auth. info. was used both when binding to Active Directories and when chasing their referrals, but now it is only being used to bind to the ADs and the binds to their referrals are being made anonymously.
Is that behavior still supported?. When slapd starts, it prints:
line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use "idassert-bind" and "idassert-authzFrom" instead.
But slapd starts correctly. Does that mean that the directive works as it used to but it will be removed in the future, or that its functionality is deactivated until the user replaces it with idassert-bind?.
If it is the former, then the problem should be related to some other change between 2.3 and 2.4, what could it be?.
If it is the later and pseudorootdn must be replaced with ideassert-bind, I have tried it with all kinds of modes (none, self, legacy), flags, and different idassert-authzFrom's, with no sucess.
I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried upgrading to 2.4.17 with the same results. Bindings from clients to my server are always done using the same DN (rootdn).
It has been some days now since I started looking into this, so any help is greatly appreciated.
Here is the relevant config:
(...includes...) loglevel config stats stats2
modulepath /usr/lib/ldap moduleload back_bdb moduleload back_ldap moduleload back_meta moduleload pcache allow update_anon access to * by * write
database meta suffix "dc=myldap,dc=local" rootdn "cn=manager,dc=myldap,dc=local" rootpw "passwd" chase-referrals yes rebind-as-user no dncache-ttl forever network-timeout 5 nretries 5 idle-timeout 5m pseudoroot-bind-defer yes overlay pcache (...cache options..)
uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local" suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com"
pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com" pseudorootpw windowsadminpasswd (...maps...)
Thanks, Javier
openldap-technical@openldap.org
-
Javier Sanz