Re: Chain authentication bind configuration

[Gavin Henry <ghenry@suretecsystems.com>]

Dave Stoll wrote:
> Hello -
>
> I seem to have run into a bit of a roadblock with my configuration.  I 
> am trying to build an OpenLDAP server which uses ref: entries to chain 
> to two other LDAP servers for user authorization.  I have been able to 
> get everything working fine so long as I allow anonymous binding on the 
> servers referenced from OpenLDAP.  Unfortunately, the security folks are 
> requesting the OpenLDAP server to force bind credentials for the 
> particular ldap uri.
>
> > From man slapd-ldap(5) I see the following:
>
> acl-bind
> ...
>               This  identity  is by no means implicitly used by the 
> proxy when
>               the client connects  anonymously.   The  idassert-bind 
>  feature,
>               instead,  in  some  cases  can  be  crafted  to  implement 
>  that
>               behavior, which is intrinsically unsafe and should be used 
>  with
>               extreme  care.   This  directive obsoletes acl-authcDN, 
> and acl-
>               passwd.
> ...
>
> Unfortunately, I’m having a bit of difficulty finding any documentation 
> supporting the ability to implicitly use a particular bindDN and simple 
> authentication password, regardless of whether the query is anonymous or 
> authenticated.
>
> Any help would be welcome.
>
> Cheers,
> Dave
>
>
>
>
> --
> Dave Stoll
> echo mac | sed 's/^/dave.stoll@/;s/$/.com/'

What slapd version are you on?

--
Kind Regards,

Gavin Henry.
Managing Director.

T +44 (0) 1224 279484
M +44 (0) 7930 323266
F +44 (0) 1224 824887
E ghenry@suretecsystems.com

Open Source. Open Solutions(tm).

http://www.suretecsystems.com/