Hello,
I'm trying to configure a proxy with slapd-meta. I have my data on a OpenLDAP
server ldap-1.example.org and my meta backend setup on ldap-proxy.example.org.
Here is the main part of my conf :
# {2}meta, config
dn: olcDatabase={2}meta,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMetaConfig
olcDatabase: {2}meta
olcSuffix: dc=test,dc=com
olcAddContentAcl: FALSE
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcReadOnly: FALSE
olcRootDN: cn=bind,dc=test,dc=com
olcRootPW: password
olcDbRebindAsUser: FALSE
# {0}uri, {2}meta, config
dn: olcMetaSub={0}uri,olcDatabase={2}meta,cn=config
objectClass: olcMetaTargetConfig
olcMetaSub: {0}uri
olcDbURI: "ldap://ldap-1.example.org:389/ou=dpt,dc=test,dc=com";
olcDbIDAssertBind: mode=none flags=non-prescriptive,proxy-authz-non-critical b
indmethod=simple timeout=0 network-timeout=0 binddn="cn=manager" cr
edentials="password" keepalive=0:0:0
olcDbRewrite: {0}suffixmassage "ou=dpt,dc=test,dc=com" "ou=dpt,dc=test,dc=
com"
olcDbRebindAsUser: FALSE
It's work fine, when I do a ldapsearch on ldap-proxy.example.org I retrieve my
data stored on ldap-1.example.org. But in order to do that, I'm forced to use
unique and administrative accounts : cn=bind,dc=test,dc=com for my proxy and
cn=manager for my main LDAP server.
For security reasons, I would like to avoid using an admin account for binding
and instead use any user credentials I choose to connect to the target servers
for searches beyond the first target (my proxy). For example, if I have an
account named ou=account,dc=test,dc=com on my LDAP server, I would like to bind
my proxy directly with this account and dynamically propagate the credentials
for verification on my LDAP server, returning the results if the credentials
are correct.
I thought that "rebind-as-user YES" would resolve this, but it doesn't work.
Is there something I'm missing?
Thanks !
Arthur
