[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: rewrite a login into a dn in simple bind



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Quanah
Gibson-Mount

> Hm, to be more specific, I know you can replicate a subtree
> in 2.1... I'm
> think more, you can't limit to specific attributes in a
> subtree -- Like
> just uid, which is what he wants, out of an unknown number of
> attributes.
> Our account tree has many, including uid.  So, with 2.2, it
> is possible to
> replicate just particular attributes of a given tree to a replica. :)

Are you forgetting the "attr" option in the 2.1 replica clause?

And to tie this back to the original question - you can certainly point your
clients at a back-ldap that has been configured with the info it needs to
bind to the real directory. Of course, if the back-ldap allows anonymous
clients to query it, this isn't any more secure than before. It's even worse,
actually, and your traffic is still in the clear instead of encrypted...

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support