[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: identity assertion
On Fri, 20 Jan 2006, Pierangelo Masarati wrote:
>the authorization you're trying to use. Note that since the cn=config
>rootdn is not going to be a real entry, you won't be able to add any
>"authzFrom" to it; you'll have to add "authzTo: dn.exact:cn=config" to
>the entry of the identity you're binding as, and allow "to"
>authorization by using "authz-policy to".
To clarify, aren't I correct in thinking that specifying a rootdn that is
a real entry will allow me to use a real DN to be authorized for cn=config
and thus be able to use authzFrom?
For instance, for cn=config I specified a rootdn of cn=config,dc=test and
then in dc=test I added an entry for cn=config,dc=test and set the
userPassword attribute. Then I was able to bind as cn=config,dc=test and
get at cn=config
I think my problem at this point is that I can't seem to get back-ldap to
try to assert any identity other than the DN used by the client to
authenticate. I see no evidence in the output from '-d -1' that back-ldap
is even trying to assert a new identity. I'll try to get data from a
simpler example and post a more general question, but do you see anything
wrong with the following?
database ldap
suffix dc=test
uri "ldap://localhost:1389"
idassert-bind bindmethod=simple
authzID="dn:cn=config,dc=test"
idassert-authzFrom "dn:*"
--
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342