[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: idassert-authzFrom: Proper way to include only non-anonymous binds

To: Quanah Gibson-Mount <quanah@symas.com>
Subject: Re: idassert-authzFrom: Proper way to include only non-anonymous binds
From: Patrik Lundin <patrik@sigterm.se>
Date: Fri, 5 Apr 2019 16:35:36 +0200
Cc: openldap-technical@openldap.org
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sigterm.se; h= date:from:to:cc:subject:message-id:references:mime-version :content-type:in-reply-to; s=fm2; bh=Zm5LB7cLV+di/H00Of/VLVSfMMK ncnA0xxz0GU6UA5I=; b=XiKa+JUoO84lRVYBRaOqnFKLo4yqVEAJ7AEcX8pTlkG 6YEh30MRhLgE68vS5nTzHDUCz5fLzksoIFqpcUQFHAhGEp+3ErDqPkFO5SGj0ZFl HHgKSisCoPEnnW9wdsrXZKOU/8skHxIZJb8nUk9yFZdW/kXU1NEktpjMFlWeIuxi DzGjVTg2JBQIWuAKlhCAUozuKfZNfxGHzlEH6TzkUJLN/0uNE9GFdWQRA9K/SFYU EwtAF+TixR5kYcWdbHWul7BIlrJKp9EVYcUPZ2I43DODwaO+Fc8Ofzg1eu8UFRAi XY4huC903R+FeoQzdVs84fPD4I9C2kxtCerhHjC5JVg==
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=Zm5LB7 cLV+di/H00Of/VLVSfMMKncnA0xxz0GU6UA5I=; b=Hb+V6e+ZjZQxTGw9alcROG bkkIc2uB/5gquDn4CJiztKdVEPqv0JVjvlxdC+wlVd0kJPc9GeVLTLJViXSr85f/ oLGWKwpReWag/eNHt9tUm22RzPRCsk+4qVYwh1izBx4sQ3tvarEEGhQcOzRqeaw9 8mmjg5bzIZVuI3M4upGkmPrmGr43m8CvXm/tUCVchpa+/FNyjTQIrUo7JrI1MisW po0lU7ztWGbs+YRE1dHs/hiog0//m2rnag10pB3juKnn+pSlMPfKW3V23mUMcgHB lV55M8gSVm04frHeTSnRmqAUOWVn+gNeJR78Vo4XyxRiEvzq4dXhjPW5uxQqSVMw ==
In-reply-to: <BDC8AD1F8EF597E155E4EFB0@[192.168.1.39]>
References: <20190401213925.GA72625@shell1.sigterm.se> <BDC8AD1F8EF597E155E4EFB0@[192.168.1.39]>
User-agent: Mutt/1.6.2 (2016-07-01)

On Thu, Apr 04, 2019 at 09:01:23AM -0700, Quanah Gibson-Mount wrote:
> 
> I had an extensive discussion with Howard about this today.  Here's the
> summary:
> 
> a) The FAQ is incorrect (I will fix this).
> b) Pierangelo's email is correct
> c) "dn:*" and "dn.regex=.*" are equivalent
> d) The slapd-ldap man page needs to be fixed.  I will file an ITS on this.
> The idassert-authzFrom directive follows the same rules as described in the
> slapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" to
> allow anonymous to work.
> 

Thanks a lot for the clarifictions! Here is the link to the ITS ticket
which was communicated via IRC if anyone else is interested:
https://www.openldap.org/its/index.cgi/?findid=9003

It would be nice if the man page update included mention of the default
behavior when idassert-authzFrom is not set at all. Since the text
currently reads "if defined, selects what local identities are
authorized to exploit the identity assertion feature" it is hard to tell
what happens if it is not defined. Is any identity allowed since there
is no filter? Is no identity allowed since there is no filter?

I believe the correct answer is "any identity except anonymous is
allowed", and it would be great if this was explicit.

Going back to my original question:
> > 
> > What is the proper way to make sure only non-anonymous binds are allowed
> > to utilize idassert-bind credentials?
> 

Given the above information the proper way would be to not set
idassert-authzFrom at all.

Thanks again for taking the time to sort this out!

Regards,
Patrik Lundin

References:
- idassert-authzFrom: Proper way to include only non-anonymous binds
  - From: Patrik Lundin <patrik@sigterm.se>
- Re: idassert-authzFrom: Proper way to include only non-anonymous binds
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: reverse search in dymanic group ?
Next by Date: Re: Question about OID / feedback on schema
Index(es):
- Chronological
- Thread