Jonathan Clarke wrote: > However, when you bind to the NSS database, then search on the > addressbook database, you don't appear to have performed a bind with > an identity on the addressbook database, so slapd-ldap just assumes > the anonymous identity.
Ah, yes. That sounds reasonable. > Basically, the server has no way of knowing that it can trust your > bind from the NSS database. Sure, but as the databases reside on the same backend server, it might just give it a try and leave the decision to the backend server. This would not make sense (and introduce a security breach) with different backend servers of course. Maybe this could be considered a valid feature request for a future release. (Or maybe this just doesn't work out as I think it does.) > The idassert-bind configuration may be of help to you Thanks, I gave it a try with no success. Think I'll just have to read up more on this stuff. Meanwhile I "fixed" my setup by configuring the proxy to forward everything below "dc=sipwise,dc=com" to the backend server. So the proxy now thinks "dc=nss" and "dc=addressbook" are within the same database. Thanks again and best regards, daniel
