[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with back-ldap and slapo-rwn

To: Pierangelo Masarati <ando@sys-net.it>
Subject: Re: Problem with back-ldap and slapo-rwn
From: "Torsten Schlabach (Tascel eG)" <tschlabach@tascel.net>
Date: Wed, 09 Apr 2008 15:59:58 +0200
Cc: openldap-software@openldap.org, "Michael Uesbeck \(Tascel eG\)" <muesbeck@tascel.net>
In-reply-to: <47FCC5AE.1080102@sys-net.it>
References: <47FBCE22.2020301@tascel.net> <47FC72D0.3050500@sys-net.it> <47FC8AD8.8070207@tascel.net> <47FCC5AE.1080102@sys-net.it>
User-agent: Thunderbird 2.0.0.12 (Windows/20080213)

Hi!

> It works this way:

[...]

Ok. But in the very case, it's actually not the client who would want to read the authzTo attribute, but Server B. Server B tries to decide if a specific user who authenticated is allowed to assume the authorization of a different user. For that reason, Server B tries to read the authzTo attribute of the user object. That user object lives on Server A and does not have an authzTo attribute but only a saslAuthzTo attribute, due to the fact that the name of that internal attribute changed between 2.2 and 2.3.

We can see Server B querying Server a for the authzTo attribute. So that part is fine.

From the log files I can see there is something like "internal search". Would an overlay and a rwn-map apply to such an internal search as well?

Regards,
Torsten

Pierangelo Masarati wrote:

Torsten Schlabach (Tascel eG) wrote:
Pierangelo!
I will happily provide some detailed debugging output. I just wanted to make sure that I understood the concept of rwm-map properly. So looking at our config, there isn't anything obvious that we have missed?
No.
Just to confirm:
We have
Server A   <---  Server B   <--- Client
(bdb)            (ldap)
I need the overlay to happen between Server B and Server A, not between the the client an Server B.

The manual isn't that detailed ... Or did I miss anything.
It works this way:
           <--- saslAuthzTo <---             <--- authzTo <---
Server A                          Server B                       Client
           ---> saslAuthzTo --->             ---> authzTo --->
(bdb)                              (ldap+rwm)
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

Follow-Ups:
- Re: Problem with back-ldap and slapo-rwn
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Problem with back-ldap and slapo-rwn
  - From: Howard Chu <hyc@symas.com>

References:
- Problem with back-ldap and slapo-rwn
  - From: "Torsten Schlabach (Tascel eG)" <tschlabach@tascel.net>
- Re: Problem with back-ldap and slapo-rwn
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: Problem with back-ldap and slapo-rwn
  - From: "Torsten Schlabach (Tascel eG)" <tschlabach@tascel.net>
- Re: Problem with back-ldap and slapo-rwn
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Backup and bdb-logfile removal
Next by Date: Re: Problem with back-ldap and slapo-rwn
Index(es):
- Chronological
- Thread