[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: identity assertion
On Fri, 20 Jan 2006, Pierangelo Masarati wrote:
>What I don't follow you about is why are you trying to put back-ldap in
>the middle. Isn't your problem about finding some way to allow regular
>users to access the cn=config tree? You don't need back-ldap, you just
>need to be able to authorize users to assume the identity you specified
>as rootdn of the cn=config database. Slapd allows you to do that
>without back-ldap. You could also do something like
>
>authz-policy from
>
>database config
>rootdn "cn=config,dc=test"
>
>Then, in the "dc=test" database you can add a "cn=config,dc=test" entry
>and, in that entry, add "authzFrom" rules that allow those users you
>intend to authorize. The "dc=test" database can be of any type that
>allows you to store an entry with the "authzFrom" attribute.
I already have my target directory set up that way but I don't know how to
do identity assertion from a regular ldap client without using SASL. Is
there a way? For instance, the following fails with "ldapsearch: not
compiled with SASL support"
ldapsearch -x -W -D cn=authorizeduser,dc=test -X cn=config,dc=test
--
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342