According to http://www.openldap.org/faq/data/cache/532.html, idassert-authzFrom is not needed in this case. Here is the example:
To allow (dumb) clients that do not perform bind to access servers that > require bind (and some ssf) by asserting some static identity (the dn:<dn>, > or even the anonymous mode, to implement the "sandbox" user described > above) without any idassert-authzFrom rule in place: > database ldap > suffix "dc=example,dc=com" > uri "ldap://ldap.example.com"; > idassert-bind bindmethod=simple > binddn="cn=Proxy,dc=example,dc=com" > credentials=proxy > authzID="dn:cn=Sandbox,dc=example,dc=com" > If no authzID is given, and mode is set to none (for instance because the > remote server does not support the proxyAuthz control), the clients will be > authorized as "cn=Proxy,dc=example,dc=com" even if they actually connected > anonymously to the proxy. Beware that this may be a significant security > breach, if that identity is granted anything but anonymous read privileges. Ryan On Fri, May 1, 2015 at 12:28 AM, Abdelhamid Meddeb <abdelha...@meddeb.net> wrote: > Hi, > In addition to ancient version, and according to reported configuration > you are missed idassert-authzFrom setting. more details in slapd.conf(5). > Without this parameter you may have this issue. > > Cheers. > > > Le 01/05/2015 03:25, Quanah Gibson-Mount a écrit : > >> --On Thursday, April 30, 2015 6:32 PM -0700 Ryan Lovett >> <r...@berkeley.edu> wrote: >> >> >>> Hello, >>> >>> >>> I've setup a simple proxy so that local LDAP clients can get access to >>> protected attributes on a remote server. My proxy is slapd 2.4.31 with >>> >>> What am I doing wrong? Any advice is greatly appreciated! >>> >> >> The first thing you're doing wrong is running a version of OpenLDAP that >> is so ancient. >> >> OpenLDAP 2.4.31 Release (2012/04/21) >> >> I.e., it's over 3 years old. >> >> There have been multiple fixes to slapd-ldap since that release. This >> one in particular may be related: >> >> OpenLDAP 2.4.33 Release (2012/10/10) >> Fixed slapd-ldap idassert bind handling (ITS#7403) >> >> --Quanah >> >> >> -- >> >> Quanah Gibson-Mount >> Platform Architect >> Zimbra, Inc. >> -------------------- >> Zimbra :: the leader in open source messaging and collaboration >> >> >> > -- > *Abdelhamid Meddeb* > http://www.meddeb.net > >
