This content has been marked as final. Show 5 replies
We use passthrough autentication with the Sun LDAP server.
In the LDAP access log you should be able to see what happens.The IDM bind account is used to search for the DN of the user, and then a new connection is set up to bind to the directory with the DN and password of the user. If the enduser bind succeeds (err=0) the user can log in.
What do you mean by 'anonymous bind is turned off'? Did you edit the ACL to that remove the aci that allows anonymous access?
We still allow some anonymous read access from our own network, mainly for email address lookup by older email clients.
I do allow search access for anyone. I've forgotten why, maybe it was for authentication. And I do allow read access for the enduser on his/her own entry.
aci: (target="ldap:///<mybase>")(targetattr="*")(version 3.0; acl "Anonymous search"; allow (compare,search) userdn = "ldap:///anyone"; )
aci: (target="ldap:///<mybase>")(targetattr="*")(version 3.0; acl "Self read"; allow (compare,search,read) userdn = "ldap:///self"; )
I think anonymous compare may be needed for a bind to succeed. You would have to compare the password with the stored password.