[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-chain

To: ando@sys-net.it (Pierangelo Masarati)
Subject: Re: slapo-chain
From: manu@netbsd.org (Emmanuel Dreyfus)
Date: Mon, 10 Sep 2007 05:19:11 +0200
Cc: openldap-software@openldap.org
In-reply-to: <46E46F99.50800@sys-net.it>
User-agent: MacSOUP/2.7 (unregistered for 233 days)

Pierangelo Masarati <ando@sys-net.it> wrote:

> > And the BIND operation still shows the TLS certificate DN for both
> > authzid and authcid: the binddn or authcid I provide does not appear.
> That's expected: it is only needed by an internal check that decides
> whether to proxyAuthz or not.  I've fixed this in HEAD/re24/re23, if you
> could try it... it's a trivial patch from back-ldap/bind.c you can pull
> from the CVS.

That patch fix the problem alone, or I also need authz-regexp?
For OpenLDAP 2.3.38, I just need bind.c 1.85.2.36-1.85.2.37, right? No
other file is to be changed?

> > Do I miss some directive on the master to allow the proxy authorization?
> Yes.  You should map the identity of the certificate DN onto some
> existing identity on the producer using the authz-regexp directive, and
> then add to that identity an authzTo rule that allows it to authorize as
> anyone (or as those that are authorized to exploit this feature).

Something like this? (I have never used that statements before)
authz-regexp
        cn=ldap1.example.net
        uid=ldap1,ou=pseudousers,dc=example,dc=net
authzTo dn.exact="uid=ldap1,ou=pseudousers,dc=example,dc=net" 

Do I need authz-policy?

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org

Follow-Ups:
- Re: slapo-chain
  - From: Pierangelo Masarati <ando@sys-net.it>

References:
- Re: slapo-chain
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: krb5PrincipalName and userPassword
Next by Date: SASL/OTP authentication started
Index(es):
- Chronological
- Thread