Actually I would not trust any software that sends passwords unencrypted over the wire today (maybe localhost connections excepted). Do you have specific reasons not to use an encrypted connection? It's non-obvious what you actually want to do. Maybe an X-Y-problem (https://en.wikipedia.org/wiki/XY_problem)?
Kind regards, Ulrich Windl > -----Original Message----- > From: Fred N <[email protected]> > Sent: Thursday, May 1, 2025 11:20 PM > To: [email protected] > Subject: [EXT] Re: RE: ldap proxy > > Hello, > > I’m trying to set up an OpenLDAP architecture where a client connects to a > proxy using an unencrypted connection with a simple bind (e.g., via > ldapsearch), and the proxy then connects securely to a backend LDAP server > using TLS client certificate authentication via SASL EXTERNAL. > > Here is what I’m aiming for: > • The client uses simple bind over ldap:// to connect to the > proxy. > • The proxy should ignore the client’s bind credentials and use > its own certificate to connect to the backend via ldaps:// or ldap+starttls:// > using SASL EXTERNAL. > • The backend uses authz-regexp rules to map the proxy’s > certificate DN to a local identity, which is authorized to perform the search > on > behalf of the client. > > I’ve tested this setup with OpenLDAP versions 2.4, 2.5, and 2.6 but have not > been able to make it work. > > I gave a configuration in my first message and I tried several configurations > but I always come back to this one when I read the docs or look at the forums > > Regards
