On the page of ldapi/auto-bind I have found the following paragraph :
If "nsslapd-ldapimaptoentries" value is "on", the uid and gid
searched with the filter "(&(uidNumber=<uid>)(gidNumber=<gid>)"
the search base "nsslapd-ldapientrysearchbase". Once a matched entry
is found, the client is authenticated as the entry. The uidNumber and
gidNumber attribute name are configurable with
respectively. Password is not necessary in the authentication.
What happens if there are serveral entries corresponding to the
abovementioned filter? The bind is refused or there is a random bind?
Or it will make an anynymous bind? I think this question should be
clearly defined (as it is defined in PKI external authentification
Direction des Systemes d'Information
91128 Palaiseau CEDEX