[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-chain

To: Emmanuel Dreyfus <manu@netbsd.org>
Subject: Re: slapo-chain
From: Pierangelo Masarati <ando@sys-net.it>
Date: Mon, 10 Sep 2007 00:11:37 +0200
Cc: openldap-software@openldap.org
In-reply-to: <1i475ur.czq8r94q86tbM%manu@netbsd.org>
References: <1i475ur.czq8r94q86tbM%manu@netbsd.org>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Emmanuel Dreyfus wrote:

> It does alter the behavior: now I get this on the master
> Sep  9 23:41:10 ldap0 slapd[5365]: conn=170 op=1 RESULT tag=103 err=47
> text=not authorized to assume identity 
> 
> And the BIND operation still shows the TLS certificate DN for both
> authzid and authcid: the binddn or authcid I provide does not appear.

That's expected: it is only needed by an internal check that decides
whether to proxyAuthz or not.  I've fixed this in HEAD/re24/re23, if you
could try it... it's a trivial patch from back-ldap/bind.c you can pull
from the CVS.

> Do I miss some directive on the master to allow the proxy authorization?

Yes.  You should map the identity of the certificate DN onto some
existing identity on the producer using the authz-regexp directive, and
then add to that identity an authzTo rule that allows it to authorize as
anyone (or as those that are authorized to exploit this feature).

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: slapo-chain
  - From: manu@netbsd.org (Emmanuel Dreyfus)
- Re: slapo-chain
  - From: manu@netbsd.org (Emmanuel Dreyfus)

References:
- Re: slapo-chain
  - From: manu@netbsd.org (Emmanuel Dreyfus)

Prev by Date: Re: slapo-chain
Next by Date: Re: krb5PrincipalName and userPassword
Index(es):
- Chronological
- Thread