[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-ldap and authentication

To: openldap-software@openldap.org
Subject: Re: slapd-ldap and authentication
From: Daniel Tiefnig <openldap@sipwise.com>
Date: Tue, 07 Apr 2009 15:54:33 +0200
In-reply-to: <49CBDB81.2000609@linagora.com>
References: <49C445F6.8040609@sipwise.com> <49CBDB81.2000609@linagora.com>
User-agent: Mozilla-Thunderbird 2.0.0.19 (X11/20090103)

Jonathan Clarke wrote:
> However, when you bind to the NSS database, then search on the 
> addressbook database, you don't appear to have performed a bind with 
> an identity on the addressbook database, so slapd-ldap just assumes 
> the anonymous identity.

Ah, yes. That sounds reasonable.

> Basically, the server has no way of knowing that it can trust your 
> bind from the NSS database.

Sure, but as the databases reside on the same backend server, it might
just give it a try and leave the decision to the backend server. This
would not make sense (and introduce a security breach) with different
backend servers of course. Maybe this could be considered a valid
feature request for a future release. (Or maybe this just doesn't work
out as I think it does.)

> The idassert-bind configuration may be of help to you

Thanks, I gave it a try with no success. Think I'll just have to read up
more on this stuff. Meanwhile I "fixed" my setup by configuring the
proxy to forward everything below "dc=sipwise,dc=com" to the backend
server. So the proxy now thinks "dc=nss" and "dc=addressbook" are within
the same database.

Thanks again and best regards,
daniel

Prev by Date: Re: openldap getting very slow
Next by Date: Re: openldap getting very slow
Index(es):
- Chronological
- Thread