[Date Prev][Date Next] [Chronological] [Thread] [Top]

Chain authentication bind configuration

To: <openldap-technical@openldap.org>
Subject: Chain authentication bind configuration
From: Dave Stoll <dave.stoll@mac.com>
Date: Wed, 09 Jan 2008 16:42:48 -0500
Thread-index: AchTCJOG0i7Xmb77EdyAxwAX8vW9tQ==
Thread-topic: Chain authentication bind configuration
User-agent: Microsoft-Entourage/11.3.6.070618

Title: Chain authentication bind configuration

Hello -

I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri.

>From man slapd-ldap(5) I see the following:

acl-bind
...
              This identity is by no means implicitly used by the proxy when
              the client connects anonymously.   The idassert-bind feature,
              instead, in some cases can be crafted to implement that
              behavior, which is intrinsically unsafe and should be used with
              extreme care.   This directive obsoletes acl-authcDN, and acl-
              passwd.
...

Unfortunately, I’m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated.

Any help would be welcome.

Cheers,
Dave

--
Dave Stoll
echo mac | sed 's/^/dave.stoll@/;s/$/.com/'

Follow-Ups:
- Re: Chain authentication bind configuration
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: Re: Newbie - how to change display name settings
Next by Date: Re: Newbie - how to change display name settings
Index(es):
- Chronological
- Thread