[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: identity assertion
What I don't follow you about is why are you trying to put back-ldap in
the middle. Isn't your problem about finding some way to allow regular
users to access the cn=config tree? You don't need back-ldap, you just
need to be able to authorize users to assume the identity you specified
as rootdn of the cn=config database. Slapd allows you to do that
without back-ldap. You could also do something like
authz-policy from
database config
rootdn "cn=config,dc=test"
Then, in the "dc=test" database you can add a "cn=config,dc=test" entry
and, in that entry, add "authzFrom" rules that allow those users you
intend to authorize. The "dc=test" database can be of any type that
allows you to store an entry with the "authzFrom" attribute.
p.
On Fri, 2006-01-20 at 13:53 -0600, Eric Irrgang wrote:
> On Fri, 20 Jan 2006, Pierangelo Masarati wrote:
>
> >the authorization you're trying to use. Note that since the cn=config
> >rootdn is not going to be a real entry, you won't be able to add any
> >"authzFrom" to it; you'll have to add "authzTo: dn.exact:cn=config" to
> >the entry of the identity you're binding as, and allow "to"
> >authorization by using "authz-policy to".
>
> To clarify, aren't I correct in thinking that specifying a rootdn that is
> a real entry will allow me to use a real DN to be authorized for cn=config
> and thus be able to use authzFrom?
>
> For instance, for cn=config I specified a rootdn of cn=config,dc=test and
> then in dc=test I added an entry for cn=config,dc=test and set the
> userPassword attribute. Then I was able to bind as cn=config,dc=test and
> get at cn=config
>
> I think my problem at this point is that I can't seem to get back-ldap to
> try to assert any identity other than the DN used by the client to
> authenticate. I see no evidence in the output from '-d -1' that back-ldap
> is even trying to assert a new identity. I'll try to get data from a
> simpler example and post a more general question, but do you see anything
> wrong with the following?
>
> database ldap
> suffix dc=test
> uri "ldap://localhost:1389"
> idassert-bind bindmethod=simple
> authzID="dn:cn=config,dc=test"
> idassert-authzFrom "dn:*"
>
Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------