> I've been racking my brains trying to understand the syntax of > idassert-bind. > > In my current setup I have a local bdb database with some users and > the > base entry for the tree. I have a meta database that is subordinate > to > the bdb database. > > If I bind to the proxy as root, and search for anything, with any > base > (within the tree) openldap will bind to the relevant targets using > the > credentials defined in the idassert-bind directives. > > If I bind to the proxy as a user that exists locally (within the bdb > database) but not in any of the targets, openldap will bind to the > targets anonymously using the dn defined in idassert-bind but no > password. > > If I bind to the proxy as a user that exists in one of the targets, > it > will bind to that target with the supplied credentials, and bind > anonymously using the dn defined in idassert-bind to all other > targets > within scope. > > Ideally, I would like the following situation: > > If a user binds with local credentials, openldap should bind to the > targets with the credentials supplied with idassert-bind. > > If a user binds with remote credentials, openldap should bind to that > target with the credentials supplied by the user, and either bind to > the > other targets using the pre-defined credentials OR not attempt to > bind > to those targets.
If I get your wishes correctly, you should work at the idassert-authzFrom level to only enable identity assertion for local users, disabling it for remote users. You may need to set "non-prescriptive" in order to allow non-authorized users to connect anonymously. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: [EMAIL PROTECTED] -----------------------------------
