Thank you for pointing it out. If multiple entries are found, the
MapToEntries is considered failed. And it falls through the next step:
checking whether the client user is a super user or not. If it's not,
it's going to be an anonymous bind. I'm updating the memo.
Andrey Ivanov wrote:
On the page of ldapi/auto-bind I have found the following paragraph :
If "nsslapd-ldapimaptoentries" value is "on", the uid and gid
searched with the filter
the search base "nsslapd-ldapientrysearchbase". Once a matched entry
is found, the client is authenticated as the entry. The uidNumber and
gidNumber attribute name are configurable with
respectively. Password is not necessary in the authentication.
What happens if there are serveral entries corresponding to the
abovementioned filter? The bind is refused or there is a random bind?
Or it will make an anynymous bind? I think this question should be
clearly defined (as it is defined in PKI external authentification
Direction des Systemes d'Information
91128 Palaiseau CEDEX
Fedora-directory-devel mailing list