Hi again, I understand that was a pretty specific question, so I'm going to try to make it a bit more general:
- Is it possible to specify the autentication slapd should use when chasing referrals of external LDAP servers? Thanks, Javier On Fri, Sep 24, 2010 at 2:00 PM, Javier Sanz <[email protected]> wrote: > Hi, > > After upgrading from OpenLDAP 2.3.27 to 2.4.11, using back_meta, it > looks like the bindings to the referrals of the external LDAP servers > are no longer being made using the authentication information > specified in pseudorootdn and pseudorootpw, but are being made > anonymously. I have a backend meta that encapsulates a local LDAP > server and some remote ones, mainly Active Directory ones not under my > control. It also has a pcache overlay. Until now, pseudoroot* auth. > info. was used both when binding to Active Directories and when > chasing their referrals, but now it is only being used to bind to the > ADs and the binds to their referrals are being made anonymously. > > > > Is that behavior still supported?. When slapd starts, it prints: > > line 75: "pseudorootdn", "pseudorootpw" are no longer supported; use > "idassert-bind" and "idassert-authzFrom" instead. > > But slapd starts correctly. Does that mean that the directive works as > it used to but it will be removed in the future, or that its > functionality is deactivated until the user replaces it with > idassert-bind?. > > If it is the former, then the problem should be related to some other > change between 2.3 and 2.4, what could it be?. > > If it is the later and pseudorootdn must be replaced with > ideassert-bind, I have tried it with all kinds of modes (none, self, > legacy), flags, and different idassert-authzFrom's, > with no sucess. > > I'm using OpenLDAP 2.4.11 under Debian 5.0 Lenny. I have tried > upgrading to 2.4.17 with the same results. Bindings from clients to my > server are always done using the same DN (rootdn). > > It has been some days now since I started looking into this, so any > help is greatly appreciated. > > Here is the relevant config: > > (...includes...) > loglevel config stats stats2 > > modulepath /usr/lib/ldap > moduleload back_bdb > moduleload back_ldap > moduleload back_meta > moduleload pcache > allow update_anon > access to * by * write > > database meta > suffix "dc=myldap,dc=local" > rootdn "cn=manager,dc=myldap,dc=local" > rootpw "passwd" > chase-referrals yes > rebind-as-user no > dncache-ttl forever > network-timeout 5 > nretries 5 > idle-timeout 5m > pseudoroot-bind-defer yes > overlay pcache > (...cache options..) > > uri "ldap://externalldap:389/dc=Directory_0,dc=myldap,dc=local"; > suffixmassage "dc=Directory_0,dc=myldap,dc=local" "DC=externalldap,DC=com" > > > pseudorootdn "CN=Administrator,DC=Users,DC=externalldap,DC=com" > pseudorootpw windowsadminpasswd > (...maps...) > > > > > Thanks, > Javier > -- Un saludo, Javier
