On 02/28/2014 11:00 AM, [email protected] wrote: > Full_Name: Angel Martinez > Version: 2.4.39 > OS: Red Hat Linux 6.4 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (217.71.18.36) > > > I'm trying to configure a LDAP proxy with slapd-meta. > > I have several suffixs over several instances that shares the same user > accounts. It's posible that one user had access to several targets. > > The targets are: > > * Users: ou=users, dc=test, dc=com (here resides all accounts) > > * Target1: ou=target1, dc=test, dc=com > > * Target2: ou=target2, dc=test, dc=com > > These 3 suffix are on 3 differents instances. > > The instances where target1 and target2 are also have another suffix: > ou=users, > dc=test, dc=com. This suffix is replicated from the first instance (Users) > > Normally, the users connect throught the proxy, but sometimes will connect > directly to the others instances. > > Basically this is the slapd.conf of the proxy: > > database meta > chase-referrals yes > rebind-as-user yes > > suffix "ou=users,dc=test,dc=com" > uri "ldap://192.168.1.34:3891/ou=users,dc=test,dc=com"; > > suffix "ou=target1,dc=test,dc=com" > uri "ldap://192.168.1.34:3892/ou=target1,dc=test,dc=com"; > > suffix "ou=target2,dc=test,dc=com" > uri "ldap://192.168.1.34:3893/ou=target2,dc=test,dc=com"; > > When a user connects to the proxy with cn=user1,ou=users,dc=test,dc=com, the > user is validated against the first target (ou=users) and can search over this > suffix, but if this user try to search something over other target (for > example > ou=target1) the proxy does not use the credentials of the user and do an > anonymous bind to target1, so the search doesn't run. > > I thought that rebind-as-user resolve this but doesn't run. > > I've tried using idassert-bind mode=self bindmethod=simple > binddn="cn=adminuser,ou=users,dc=test,dc=com" credentials="password" and runs > ok, but I prefer not to use an administrative account to connect the proxy > with > the targets. > > Is there something I'm missing?
Yes, you did not read slapd-meta(5) man page. rebind-as-user is used in a totally different context. What you need is idassert-bind. Please direct further conversation to <[email protected]>. This ITS will be closed. p. -- Pierangelo Masarati Associate Professor Dipartimento di Scienze e Tecnologie Aerospaziali Politecnico di Milano
