[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#4256) HEADS-UP: chain overlay authz configuration

Full_Name: Pierangelo Masarati
Version: re23
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (
Submitted by: ando

Recently in re23 (I think between 2.3.12 and 2.3.13) a bug was fixed in
slapd-ldap/slapo-chain, but it went unnoticed.  This bug allowed the
configuration of slapo-chain(5) using the chain-acl-bind directive to provide
the identity assertion feature in a way that behaved similarly to the
chain-idassert-bind directive.  This error was reflected in the tests that used
the slapo-chain(5) overlay.

The fix has already been released, so this ITS is being filed only to track the

The __INCORRECT__ configuration of slapo-chain (for example) was:

overlay chain
chain-uri <URI>
chain-acl-bind  bindmethod=simple

The __CORRECT__ configuration is:

overlay chain
chain-uri <URI>
chain-acl-idassert  bindmethod=simple

Note that now an identity assertion directive can only be used __after__ a
"chain-uri" specification; unspecified URIs can only be chained anonymously.