[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion

To: Eric Irrgang <erici@motown.cc.utexas.edu>
Subject: Re: identity assertion
From: Howard Chu <hyc@symas.com>
Date: Thu, 19 Jan 2006 15:14:34 -0800
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.GSO.4.58.0601191605590.589@grapevine.cc.utexas.edu>
References: <Pine.GSO.4.58.0601191605590.589@grapevine.cc.utexas.edu>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20060115 SeaMonkey/1.5a Mnenhy/0.7.3.0

Eric Irrgang wrote:

If you want to be able to do a simple bind as one DN but perform actions as another DN, you need to use some sort of identity assertion. Is there a way to do this without using back-ldap?

It's called Proxy Authorization. Some SASL mechanisms allow it, in which case your identity is changed for the entire duration of the session. You can also attach a ProxyAuthorization control to individual operations after authenticating normally.

Specifically, I'm trying to work around the lack of ACL access to the config backend by allowing specific DNs to assert the cn=config rootDN. I've got rootdn for cn=config set to cn=config,dc=test and an entry in a bdb backend for cn=config,dc=test with a authzFrom attribute set.

I suspect we will be adding normal ACL checking to back-config in the near future. You'll just have to be *extremely* careful about you configure things.

So I just need to bind as a user that is authorized with the authzFrom and assert the cn=config,dc=test identity, right?


Yes.


--
 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/

References:
- identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>

Prev by Date: Re: Client not getting reply from slapd-ldap proxy
Next by Date: Re: identity assertion
Index(es):
- Chronological
- Thread