[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion

To: Eric Irrgang <erici@motown.cc.utexas.edu>
Subject: Re: identity assertion
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 20 Jan 2006 22:14:54 +0100
Cc: openldap-software@OpenLDAP.org
In-reply-to: <Pine.GSO.4.58.0601201108290.28516@grapevine.cc.utexas.edu>
References: <Pine.GSO.4.58.0601191605590.589@grapevine.cc.utexas.edu> <1137713660.3342.72.camel@ando> <Pine.GSO.4.58.0601201108290.28516@grapevine.cc.utexas.edu>

What I don't follow you about is why are you trying to put back-ldap in
the middle.  Isn't your problem about finding some way to allow regular
users to access the cn=config tree?  You don't need back-ldap, you just
need to be able to authorize users to assume the identity you specified
as rootdn of the cn=config database.  Slapd allows you to do that
without back-ldap.  You could also do something like

authz-policy	from

database        config
rootdn          "cn=config,dc=test"

Then, in the "dc=test" database you can add a "cn=config,dc=test" entry
and, in that entry, add "authzFrom" rules that allow those users you
intend to authorize.  The "dc=test" database can be of any type that
allows you to store an entry with the "authzFrom" attribute.

p.

On Fri, 2006-01-20 at 13:53 -0600, Eric Irrgang wrote:
> On Fri, 20 Jan 2006, Pierangelo Masarati wrote:
> 
> >the authorization you're trying to use.  Note that since the cn=config
> >rootdn is not going to be a real entry, you won't be able to add any
> >"authzFrom" to it; you'll have to add "authzTo: dn.exact:cn=config" to
> >the entry of the identity you're binding as, and allow "to"
> >authorization by using "authz-policy to".
> 
> To clarify, aren't I correct in thinking that specifying a rootdn that is
> a real entry will allow me to use a real DN to be authorized for cn=config
> and thus be able to use authzFrom?
> 
> For instance, for cn=config I specified a rootdn of cn=config,dc=test and
> then in dc=test I added an entry for cn=config,dc=test and set the
> userPassword attribute.  Then I was able to bind as cn=config,dc=test and
> get at cn=config
> 
> I think my problem at this point is that I can't seem to get back-ldap to
> try to assert any identity other than the DN used by the client to
> authenticate.  I see no evidence in the output from '-d -1' that back-ldap
> is even trying to assert a new identity.  I'll try to get data from a
> simpler example and post a more general question, but do you see anything
> wrong with the following?
> 
> database	ldap
> suffix		dc=test
> uri		"ldap://localhost:1389";
> idassert-bind	bindmethod=simple
> 		authzID="dn:cn=config,dc=test"
> idassert-authzFrom "dn:*"
> 




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>

References:
- identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>
- Re: identity assertion
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: identity assertion
  - From: Eric Irrgang <erici@motown.cc.utexas.edu>

Prev by Date: Re: [ldap] Implementation Suggestions
Next by Date: Re: [ldap] Implementation Suggestions
Index(es):
- Chronological
- Thread