I still have to play with embedded LDAP server (btw, it’s exactly OpenLDAP) but, having worked a lot on ldap servers, I noticed that ldap authentication process is quite often not well understood and therefore poorly implemented.
I don’t understadn what you mean with your request that is to set “rootbinddn”. What I can tell you is that “correct” (obviously from my standpoint 😉 ) Ldap authentication process is to:
– prompt user for his/her credential (login/password)
– ANNONYMOUSLY search for entry matching login part (most of the time UID)
– in case one (unique) entry is found, then retrieve DN and bind using this DN and password provided by user.
No need here to search directory with any DN known in advance. No need to authenticate before being sure you found matching entry.
The point is that LDAP clients (applications) are not very often implementing this, targetting rather “direct authentication” looking for attributes that are not available anonymously. Worst case (and btw, I saw a lot of applicaiton doing this) being to get user password from ldap and compare with password as provided by user during authentication process. This method must be prohibited 👿