Re: slapo-chain

[manu@netbsd.org (Emmanuel Dreyfus)]

Pierangelo Masarati <ando@sys-net.it> wrote:

> Yes.  You should map the identity of the certificate DN onto some
> existing identity on the producer using the authz-regexp directive, and
> then add to that identity an authzTo rule that allows it to authorize as
> anyone (or as those that are authorized to exploit this feature).

I got it working. Here is what I have, I'd be glad if you could confirm
me that I did not introduce security holes:


On the replica:
overlay                         chain
chain-uri                       ldaps://ldap0.example.net
chain-idassert-bind     bindmethod=sasl
                                saslmech=EXTERNAL
                        binddn="cn=bugworkaround"
                                mode=self
chain-idassert-authzFrom "*"
chain-return-error      TRUE


On the master:
authz-policy            to
authz-regexp    cn=ldap1.example.net
                cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net
authz-regexp    cn=ldap2.example.net
                cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net

access to attrs=authzTo 
    by * read stop


In the DIT:
dn: ou=pseudo-user,dc=example,dc=net
objectClass: organizationalUnit
ou: pseudo-user

dn: cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net
objectClass: organizationalRole
cn: ldap1.example.net
ou: pseudo-user
authzTo: *

dn: cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
objectClass: organizationalRole
cn: ldap2.example.net
ou: pseudo-user
authzTo: *

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
manu@netbsd.org