[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap meta + activedirectory

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: ldap meta + activedirectory
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 22 Jan 2005 18:42:55 +0100
Cc: openldap-software@OpenLDAP.org
References: <41F22341.30101@lycos.com> <41F23000.3030202@sys-net.it> <m3u0p9ie8u.fsf@marin.l4b.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Dieter Kluenter wrote:

As far as I remember, back-meta passes any simple bind credentials it receives to the remote server.

Correct. Simple binds are propagated, much like back-ldap does. I was referring to the "binddn" (and "bindpw") statement(s) in slapd-meta(5), whose usage has been often misinterpreted as the identity back-meta (and back-ldap) would use to propagate anonymous binds. To reduce the chances of misinterpretation, in HEAD/2.3 the "binddn" and "bindpw" statements have been renamed "acl-authcDN" and "acl-passwd", indicating that they're the identity back-ldap uses to access the remote server for local ACL checking purposes. Identity assertion occurs in HEAD/2.3 by means of the identity assertion mechanism, which, in some cases, may result in anonymous binds occur by way of some administrative identity, e.g. back-ldap authenticates with some administrative identity and asserts the anonymous identity by means of the proxyAuthz control. There's a variety of identity assertion policies currently implemented in back-ldap. See 2.3's slapd-ldap(5).

p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- ldap meta + activedirectory
  - From: Julien TOUCHE <julien.touche@lycos.com>
- Re: ldap meta + activedirectory
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: ldap meta + activedirectory
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: ldap meta + activedirectory
Next by Date: Re: ldap meta + activedirectory
Index(es):
- Chronological
- Thread