Hello,
I'm trying to configure a proxy with slapd-meta. I have my data on a OpenLDAP server ldap-1.example.org and my meta backend setup on ldap-proxy.example.org.
Here is the main part of my conf :
# {2}meta, config dn: olcDatabase={2}meta,cn=config objectClass: olcDatabaseConfig objectClass: olcMetaConfig olcDatabase: {2}meta olcSuffix: dc=test,dc=com olcAddContentAcl: FALSE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=bind,dc=test,dc=com olcRootPW: password olcDbRebindAsUser: FALSE
# {0}uri, {2}meta, config dn: olcMetaSub={0}uri,olcDatabase={2}meta,cn=config objectClass: olcMetaTargetConfig olcMetaSub: {0}uri olcDbURI: "ldap://ldap-1.example.org:389/ou=dpt,dc=test,dc=com" olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical b indmethod=simple timeout=0 network-timeout=0 binddn="cn=manager" cr edentials="password" keepalive=0:0:0 olcDbRewrite: {0}suffixmassage "ou=dpt,dc=test,dc=com" "ou=dpt,dc=test,dc= com" olcDbRebindAsUser: FALSE
It's work fine, when I do a ldapsearch on ldap-proxy.example.org I retrieve my data stored on ldap-1.example.org. But in order to do that, I'm forced to use unique and administrative accounts : cn=bind,dc=test,dc=com for my proxy and cn=manager for my main LDAP server.
For security reasons, I would like to avoid using an admin account for binding and instead use any user credentials I choose to connect to the target servers for searches beyond the first target (my proxy). For example, if I have an account named ou=account,dc=test,dc=com on my LDAP server, I would like to bind my proxy directly with this account and dynamically propagate the credentials for verification on my LDAP server, returning the results if the credentials are correct.
I thought that "rebind-as-user YES" would resolve this, but it doesn't work.
Is there something I'm missing?
Thanks ! Arthur
openldap-technical@openldap.org