[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back-ldap configuration
Jubal Kessler wrote:
>
> Hi,
>
> What's the proper way to set up back-ldap to perform simple
> authentication? Whatever I'm doing doesn't seem to work.
> My slapd.conf's back-ldap section is:
>
> database ldap
> suffix "dc=server,dc=com"
> uri "ldap://target.server.com"
> binddn "cn=Manager,dc=server,dc=com"
> bindpw "temp-passwd"
^^^ This is NOT the rootdn (which is simply ignored by back-ldap
as shipped with REL_ENG) so it does NOT represent a user that
has any special administrative rights. It is used INTERNALLY
by back-ldap to perform administrative queries to the target
server mainly related to accessing ACL related attributes.
If you don't want the target to allow anonymous bind, then try
to bind to the proxy with a valid user, which means a user
that's valid on the target server. You don't need binddn/bindpw
unless you plan to use extra ACLs on the proxy.
> lastmod off
>
> When I perform a query, it is routed via back-ldap to the target
> server, but no results are returned. If I enable anonymous read in
> the target server's ACL, then it works. But that defeats the purpose
> of using simple authentication here.
>
> the binddn of "cn=Manager,dc=server,dc=com" does not exist in the
> target server's database, but it *does* exist in the target server's
> slapd.conf. Does this matter?
Yes. That suffices. The only point is that the target server must
accept the binddn as a user that grants READ (and SEARCH, I guess)
access to the entries and the attributes that are used in ACLs on
the proxy.
--
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano |
mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy |
http://www.aero.polimi.it/~masarati