> Is there a way that I can prevent BINDs for normal user DNs from any source
> other than the SSO software?
If your clients can support client TLS, require it on your OpenLDAP instance.
This is a really nice way to restrict access without worrying about IP
addresses.
> Is my approach to this issue technically possible? Are there other solutions?
I developed a custom dynacl for a directory that needed to support TLS without
client auth (so I couldn't just "olcTLSVerifyClient: demand"). The dynacl
simply checks that client TLS was done, so the following ACL would work for
those connections:
access to attrs=userPassword
by dynacl/clientauth +x
