[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: syncrepl, updateref, chain overlay and the authzTo attribute



Edgar Fuß wrote:
> Michael Ströder wrote:
>>
>> That is for proxy authorization. Do you really need that?
>
> I suppose so, at least the documentation under
> http://www.openldap.org/doc/admin24/overlays.html#Chaining
> seems to instruct me to do so.

Hmm, yes. This text implicates use of proxy authz.

But slapo-chain(5) mentions directive 'chain-rebind-as-user' which you
probably want to set to TRUE. There is no descriptive text for this directive
yet (=> filed ITS#6305).

So please try this and report back. I don't have the time today to test it myself.

>> Why is looking at the schema a waste of time?
>
> I was looking /for/ a (non-existent) schema containing the (operational)
> authzTo attribute. To me, taht looks like I've wasted my time. Or am I
> wrong again in my assumption that authzTo is an operational attribute?

As Dieter already noted it's declared hard-coded in the C code not in the
subschema config files. So looking only at the config files might not be
sufficient.
=> Use a decent schema browser to examine the actual subschema subentry of
your server installation.

Ciao, Michael.