Jehan PROCACCIA <[email protected]> writes: > hello > > I need to give acces to a partial replica of my ldap directory > this replica only contain "white pages" attributes -> no userpassword ! > > syncrepl rid=001 > filter="(|(objectClass=organizationalPerson) > attrs="uid,cn,sn,ou,departmentNumber,GivenName > > I created a bind user in the master ldap to give external access to > that replica > but as I don't replicate userpassword, then that bind user doesn't > have usperpasswd in the replicate and then cannot authenticate on it > (egg and chiken pb !) > > then how can I have that partial replica whitout userpassword attributes, > but still allow someone (at least one dn, but not the rootdn in > slapd.conf that I want to keep secret) > to bind to that replica !? > > I tested a binddn out of ldap database with SASL (digest-md5), but > apparently (ldapsearch -Y) it requires a userpassword attribute for > that binddn in the ldap database :-( > I though that having a password only in /etc/salsdb2 would be enough > ... to bad ;-( > I also tested with a translucent in front of my replica, in that > translucent I added the userpassword for the binddn so that he can > bind , but the search addresed to that translucent that finally goes > to my partial replica ends up in an anonymous bind, > not as that binddn I expected :-( (so ACL cannot be match ) > > Please let me know how to let a user+password (binddn having > correponding ACL) search my replica on a replica not containing > userpassword attributes (or a least one for that binddn) . would it be > possible to replicate userpassowrd attribute from the master only for > that binddn ?
Have you thought about a X.500 certificate, startTLS and sasl external mechanism? -Dieter -- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
