[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapo-chain
Emmanuel Dreyfus wrote:
> Pierangelo Masarati <ando@sys-net.it> wrote:
>
>> Yes. You should map the identity of the certificate DN onto some
>> existing identity on the producer using the authz-regexp directive, and
>> then add to that identity an authzTo rule that allows it to authorize as
>> anyone (or as those that are authorized to exploit this feature).
>
> I got it working. Here is what I have, I'd be glad if you could confirm
> me that I did not introduce security holes:
>
>
> On the replica:
> overlay chain
> chain-uri ldaps://ldap0.example.net
> chain-idassert-bind bindmethod=sasl
> saslmech=EXTERNAL
> binddn="cn=bugworkaround"
> mode=self
> chain-idassert-authzFrom "*"
> chain-return-error TRUE
>
>
> On the master:
> authz-policy to
> authz-regexp cn=ldap1.example.net
> cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net
> authz-regexp cn=ldap2.example.net
> cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
>
> access to attrs=authzTo
> by * read stop
>
>
> In the DIT:
> dn: ou=pseudo-user,dc=example,dc=net
> objectClass: organizationalUnit
> ou: pseudo-user
>
> dn: cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net
> objectClass: organizationalRole
> cn: ldap1.example.net
> ou: pseudo-user
> authzTo: *
>
> dn: cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
> objectClass: organizationalRole
> cn: ldap2.example.net
> ou: pseudo-user
> authzTo: *
Correct. See my previous message.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------