We are trying to set up an LDAP Bridge, but do not wish to enter a user/pass to read the directory.
So far anonymous access is not working. It works to the same host from other LDAP clients using anonymous access.
Any hints here?
I dont think Matrix has been written to allow anonymous binding. You'll have to use a username/password until that feature is added.
Actually I just went for a dig and found that anonymous is supported, but the ability to set the version of LDAP is not.
I hacked in this line:
ldap_set_option($this->ptr, LDAP_OPT_PROTOCOL_VERSION, 3);
into fudge/ldap/ldap.inc at approx line 109 (after the ldap_connect call)...
I also had to change the code just after that to process empty passwords the same way null passwords were being processed...
// bind to the server
if (is_null($pass) || empty($pass)) {
// attempting an anonymous bindSo I can connect, but now I can't get the "LDAP User Setup" page to run. It requires a 'Bind DN' to read the list of attributes available for users in the directory I think, but I haven't dug that deep yet...
That sounds about right. I think I may have already made these changes in the DEV version of Matrix. You can set the protocol version as 3, but I cant remember if I've made the change for anon access.
Well, we hacked in our own solution for anonymous access.
Really the thing is that you kind of shouldn't be using a real user to bind to LDAP. And you should also not use that user to get the list of attributes in the LDAP user setup screen.
We ended up hacking in our own array of attributes we wanted in that screen instead.
The best thing to do would be to allow a user selected list of attributes or have an option to use RFCs.
I don't know if our hacks have affected anything else though, too early to tell.
I dont see any problem with using a real user to connect to LDAP. You should have permissions configured for this user in your LDAP directory so it shouldnt be a problem.
Using the account to get attributes is a short-cut that many users like. We plan to allow you to define your own attributes - but we will not be removing the functionality that helps users get this job done.
I think what Sam meant more was that if you do anonymous binding by not entering a user dn in, it's a bit annoying not having any way of specifying the attributes, as it relies upon retrieving the attributes of the user that you're binding as.
So it's like you go "oh anonymous binding works! oh no it doesn't…" 
Yeah, thats why I said "We plan to allow you to define your own attributes"