On 03/04/12 16:47, Induni, Marco wrote: > Hi all, > I'm building an openldap proxy to an AD server and adding a little of > "intelligence" based on the client request. > > Unfortunately the client/program asking information about an account, > need to be setup with user and password. > There is a way to let the proxy "ignore" this user and password and > instead just use the ones specified on the slapd.conf file ? > Or setup fake credential somewhere ? > > > In detail, query are something like: > > ldapsearch -x -h openldap-proxy -w "secret" -D > "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int" > userPrincipalName=TST-USER10 > > but I need that the proxy exclude the "-w "secret" -D > "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" part, and use the one on the > conf file. > In fact if I do a query like: > > ldapsearch -x -h openldap-proxy -w "secret" -D > "CN=MGRADREAD05,CN=MGR,DC=example,DC=com" -b "dc=pmm,dc=int" > userPrincipalName=TST-USER10 > it works. > > > Here the slapd.conf > > database meta > suffix "dc=pmm,dc=int" > > uri "ldap://10.10.10.1/dc=pmm,dc=int"; > suffixmassage "dc=pmm,dc=int" "dc=media,dc=int" > > rewriteContext searchFilter > rewriteRule "userPrincipalName=(.*)@rtsi.ch" > "userPrincipalName=%[email protected]" ":" > rewriteRule "sAMAccountName=([:alnum:])" "userPrincipalName=%[email protected]" > ":" > > idassert-bind > bindmethod=simple > > binddn="CN=svc-adread05,CN=AdminAccounts,OU=RSI,OU=Units,DC=media,DC=int > " > credentials="Comano2012" > mode=self > idassert-authzFrom "dn.regex:.*" > > > > > Any idea ?
You can configure the ldap and meta backends to use a different authentication for the outgoing connection to the proxied server by setting mode=none in the idassert-bind directive. For example: idassert-bind bindmethod=simple binddn="cn=proxyuser,dc=ad,dc=com" credentials=secret mode=none Will cause all connections to the proxied LDAP server to use those credentials. Is this what you're trying to achieve? Jonathan -- -------------------------------------------------------------- Jonathan Clarke - [email protected] -------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org --------------------------------------------------------------
