Re: identity assertion

[Eric Irrgang <erici@motown.cc.utexas.edu>]

On Fri, 20 Jan 2006, Pierangelo Masarati wrote:

>the authorization you're trying to use.  Note that since the cn=config
>rootdn is not going to be a real entry, you won't be able to add any
>"authzFrom" to it; you'll have to add "authzTo: dn.exact:cn=config" to
>the entry of the identity you're binding as, and allow "to"
>authorization by using "authz-policy to".

To clarify, aren't I correct in thinking that specifying a rootdn that is
a real entry will allow me to use a real DN to be authorized for cn=config
and thus be able to use authzFrom?

For instance, for cn=config I specified a rootdn of cn=config,dc=test and
then in dc=test I added an entry for cn=config,dc=test and set the
userPassword attribute.  Then I was able to bind as cn=config,dc=test and
get at cn=config

I think my problem at this point is that I can't seem to get back-ldap to
try to assert any identity other than the DN used by the client to
authenticate.  I see no evidence in the output from '-d -1' that back-ldap
is even trying to assert a new identity.  I'll try to get data from a
simpler example and post a more general question, but do you see anything
wrong with the following?

database	ldap
suffix		dc=test
uri		"ldap://localhost:1389";
idassert-bind	bindmethod=simple
		authzID="dn:cn=config,dc=test"
idassert-authzFrom "dn:*"

-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342