This way it binds anonymously, and then fails to do an ldapsearch because of insufficient privs. Giving * read to all seems silly, and I would rather not go that route.
If anyone has suggestions or comments they would be greatly appreciated.
How I did it (assuming your using AD as the backend) .. is just create a user account to bind with to do the search (to locate the DN). It does not need to be an admin user, unless you have torqued down the permissions inside AD. This allows bind as the defined user (to search for the DN of the striped-user-name) and then rebind as that DN. ldap { server = "mydc.foocorp.com" identity = "CN=LDAP Account,OU=whatever,OU=Domain Users,DC=foocorp,DC=com" password = imnotgoingtotellyou basedn = "dc=foocorp,dc=com" filter = "(&(objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Name}}))" .. } Cheers, Michael Holstein Cleveland State University