[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd-ldap configuration and identity assertion
I think my problem at this point is that I can't seem to get back-ldap to
use the authzID to try to assert another identity.
If I have the following then all operations are carried out as the
binddn, which is what I would expect.
idassert-bind bindmethod=simple
binddn="cn=erici,dc=cc,dc=utexas,dc=edu"
credentials="hithere"
mode=none
And if I set mode=self then I see things like the following in the logs
and I gather that appropriate things are happening.
==>slap_sasl_authorized: can cn=erici,dc=cc,dc=utexas,dc=edu become
(null)?
==>slap_sasl_check_authz: does cn=erici,dc=cc,dc=utexas,dc=edu match
authzFrom rule in ?
<==slap_sasl_check_authz: authzFrom check returning 32
<== slap_sasl_authorized: return 48
<= get_ctrls: n=1 rc=47 err="not authorized to assume identity"
But I can't seem to get authzID to work as documented. When I don't
specify 'mode' and I do specify authzID, I'm led to believe that I should
see a bind from the binddn and then an identity assertion to the authzID.
database ldap
suffix dc=test
uri "ldap://localhost:1389"
idassert-bind bindmethod=simple
binddn="cn=erici,dc=cc,dc=utexas,dc=edu"
credentials="hithere"
authzID="dn:cn=config,dc=test"
idassert-authzFrom "dn.regex:.*"
Instead, the connection gets relayed without using the binddn or the
authzID as if I hadn't used idassert-bind at all.
Am I missing something?
--
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342