[Date Prev][Date Next] [Chronological] [Thread] [Top]

authzTo [auf Viren überprüft]

To: Openldap list <openldap-software@OpenLDAP.org>
Subject: authzTo [auf Viren überprüft]
From: Hans Moser <hans.moser@ofd-sth.niedersachsen.de>
Date: Thu, 04 Aug 2005 16:50:25 +0200
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; de-AT; rv:1.4) Gecko/20030624

Hi!

A user ck with
#
dn: employeeid=3,ou=here,ou=humans,o=foo
[..]
uid: ck
#
should be used as Cyrus IMAP user by ldapdb.
I have a entry
#
dn: cn=human,ou=mgr,o=foo
#
with
#
[...]
authzTo: ldap:///ou=humans,o=foo??sub?(uid=*)

I added
#
sasl_ldapdb_id: cn=human,ou=mgr,o=foo
#
to imapd.conf and
#
authz-policy to
authz-regexp uid=.*,cn=auth
	cn=human,ou=mgr,o=foo
authz-regexp cn=human,ou=mgr,o=foo
	dn.subtree=cn=.*,ou=here,ou=humans,o=foo
#
to my slapd.conf.

ACL for ou=humans,o=foo is
#
access to dn.subtree=ou=humans,o=foo
	by anonymous auth
	by users read
access to dn.subtree=ou=humans,o=foo attrs=userpassword
	by self write

Is does not work. User ck is not authenticated in ldap, I can't even find a try. There is BIND with DN: "" at first. Then a switch to cn=human,ou=mgr,o=foo (authcid=authzid="cn=human,ou=mgr,o=foo") and a search for the uid like defined in the authzTo-attribute. It ends up with "not authorized to assume identity".


Hans

Follow-Ups:
- Re: authzTo [auf Viren überprüft]
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: Getting Replication to work
Next by Date: AD to openldap migration
Index(es):
- Chronological
- Thread