[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap meta + activedirectory



Pierangelo Masarati <ando@sys-net.it> writes:

> Julien TOUCHE wrote:
>
>>
>> has anyone any experience to make openldap connect in meta on an
>> activedirectory ?
>
> Yes.
>
>>
>> what uri/binddn/acl do you use ? which rights on windows domain has bind
>> user ?
>
> URI: ldap:// or ldaps://; the latter may require tweaking OpenLDAP's
> ldap.conf to provide appropriate CA certificate or to disable CA cert
> checking as considered appropriate; see ldap.conf(5) for details.
> ACL: is up to what further restrictions you want to set on data
> disclosed by the remote server
> binddn: I don't understand what you mean.  You need a valid identity
> to authenticate.  If you mean the "BINDDN" directive in ldap.conf(5),
> that's the default identity you intend to use; but back-meta won't
> likely work because a password is expected, and none is being
> provided. If you mean the "binddn" (and "bindpw") directive(s) in
> slapd-meta(5), that identity is simply used for internal operations,
> so it has to be a valid identity but it's not going to help in
> overriding restrictions on anonymous access.  If you need to somehow
> override anonymous access restrictions, I suggest you take a look at
> the "identity assertion" feature of back-ldap (not released yet; it's
> been in HEAD code, and documented on the FAQ
> <http://www.openldap.org/faq/data/cache/532.html> for nearly a year,
> though).

As far as I remember, back-meta passes any simple bind credentials it
receives to the remote server.

-Dieter 

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53