Re: ldap meta + activedirectory

[Pierangelo Masarati <ando@sys-net.it>]

Julien TOUCHE wrote:

> has anyone any experience to make openldap connect in meta on an
> activedirectory ? 

Yes.

> what uri/binddn/acl do you use ? which rights on windows domain has bind
> user ?

URI: ldap:// or ldaps://; the latter may require tweaking OpenLDAP's 
ldap.conf to provide appropriate CA certificate or to disable CA cert 
checking as considered appropriate; see ldap.conf(5) for details.
ACL: is up to what further restrictions you want to set on data 
disclosed by the remote server
binddn: I don't understand what you mean.  You need a valid identity to 
authenticate.  If you mean the "BINDDN" directive in ldap.conf(5), 
that's the default identity you intend to use; but back-meta won't 
likely work because a password is expected, and none is being provided. 
If you mean the "binddn" (and "bindpw") directive(s) in slapd-meta(5), 
that identity is simply used for internal operations, so it has to be a 
valid identity but it's not going to help in overriding restrictions on 
anonymous access.  If you need to somehow override anonymous access 
restrictions, I suggest you take a look at the "identity assertion" 
feature of back-ldap (not released yet; it's been in HEAD code, and 
documented on the FAQ <http://www.openldap.org/faq/data/cache/532.html> 
for nearly a year, though).

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497