This content has been marked as final. Show 5 replies
We use passthrough autentication with the Sun LDAP server.
In the LDAP access log you should be able to see what happens.The IDM bind account is used to search for the DN of the user, and then a new connection is set up to bind to the directory with the DN and password of the user. If the enduser bind succeeds (err=0) the user can log in.
What do you mean by 'anonymous bind is turned off'? Did you edit the ACL to that remove the aci that allows anonymous access?
will get someone to look at the logs.
They edited the ACL and removed any rights that anonymous has (read,search,compare). Is that what you did?
We still allow some anonymous read access from our own network, mainly for email address lookup by older email clients.
I do allow search access for anyone. I've forgotten why, maybe it was for authentication. And I do allow read access for the enduser on his/her own entry.
aci: (target="ldap:///<mybase>")(targetattr="*")(version 3.0; acl "Anonymous search"; allow (compare,search) userdn = "ldap:///anyone"; )
aci: (target="ldap:///<mybase>")(targetattr="*")(version 3.0; acl "Self read"; allow (compare,search,read) userdn = "ldap:///self"; )
I think anonymous compare may be needed for a bind to succeed. You would have to compare the password with the stored password.
ok, just turning on anonymous compare allows users to log into IDM. However, we have been asked not to use anonymous binds and argument is if allowing compares is a bind or not.
Is there anyway that you can think of not to have anything happening anonymously?
I don't know of another method, you do need a certain amount of access to be able to authenticate.
You could use a proxy user, but then the proxy user needs to bind first.