[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4256) HEADS-UP: chain overlay authz configuration

To: openldap-its@OpenLDAP.org
Subject: (ITS#4256) HEADS-UP: chain overlay authz configuration
From: ando@sys-net.it
Date: Fri, 9 Dec 2005 10:49:04 GMT

Full_Name: Pierangelo Masarati
Version: re23
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (81.74.43.82)
Submitted by: ando


Recently in re23 (I think between 2.3.12 and 2.3.13) a bug was fixed in
slapd-ldap/slapo-chain, but it went unnoticed.  This bug allowed the
configuration of slapo-chain(5) using the chain-acl-bind directive to provide
the identity assertion feature in a way that behaved similarly to the
chain-idassert-bind directive.  This error was reflected in the tests that used
the slapo-chain(5) overlay.

The fix has already been released, so this ITS is being filed only to track the
issue.  

The __INCORRECT__ configuration of slapo-chain (for example) was:

overlay chain
chain-uri <URI>
chain-acl-bind  bindmethod=simple
                binddn=<BD>
                credentials=<cred>

The __CORRECT__ configuration is:

overlay chain
chain-uri <URI>
chain-acl-idassert  bindmethod=simple
                    binddn=<BD>
                    credentials=<cred>
                    mode=self

Note that now an identity assertion directive can only be used __after__ a
"chain-uri" specification; unspecified URIs can only be chained anonymously.

p.

Prev by Date: (ITS#4255) ACL "exact" attrval clause needs normalized value
Next by Date: HEADS-UP: chain overlay authz configuration (Was: Update question with chain overlay of sync replica ?)
Index(es):
- Chronological
- Thread