> I'm trying to use OpenLDAP as a proxy. I want it to bind to the remote > LDAP server with a fixed dn, and use that dn for searches. This way, > any dn binding to the proxy (even anonymously) could see objects and > attributes that the dn used to bind to the real LDAP server can see.
This is discussed in slapd-ldap(5) man page. See the "idassert-bind" statement. > My problem is that it seems that the proxy does not bind to the remote > server (in other words, it binds anonymously), just forwards searches, > which fail this way, because the remote server requires authentication. > The binddn and bindpw configuration options are correct, I can use > ldapsearch to retrieve objects directly from the remote server. > > Looking at the network traffic, I can't see the proxy attempting to bind > using the dn given in the binddn option. Then you didn't read the man page. The "binddn" statement specifies a DN for a very specific purpose, which is not the one you are trying to obtain. > Here is the relevant part of my slapd.conf: > > == > database ldap > suffix dc=company,dc=local > chase-referrals no > lastmod off > uri ldap://remotehost > binddn <binddn> > bindpw <bindpw> > == > > Is it possible to configure back-ldap this way? With OpenLDAP 2.3, yes. But not with the above configuration. See slapd-ldap(5). p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
