[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: identity assertion
Eric Irrgang wrote:
If you want to be able to do a simple bind as one DN but perform actions
as another DN, you need to use some sort of identity assertion. Is there
a way to do this without using back-ldap?
It's called Proxy Authorization. Some SASL mechanisms allow it, in which
case your identity is changed for the entire duration of the session.
You can also attach a ProxyAuthorization control to individual
operations after authenticating normally.
Specifically, I'm trying to work around the lack of ACL access to the
config backend by allowing specific DNs to assert the cn=config rootDN.
I've got rootdn for cn=config set to cn=config,dc=test and an entry in a
bdb backend for cn=config,dc=test with a authzFrom attribute set.
I suspect we will be adding normal ACL checking to back-config in the
near future. You'll just have to be *extremely* careful about you
configure things.
So I just need to bind as a user that is authorized with the authzFrom and
assert the cn=config,dc=test identity, right?
Yes.
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/