[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: (ITS#6456) Feature Request
> Full_Name: J
> Version: 2.4.20
> OS: Debian-Lenny/amd64
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (68.15.14.98)
>
>
> Greetings,
>
> Having found out this doesn't already exist as another parameter or
> configuration method, I am hereby submitting a request for a particular
> feature.
>
> When performing idassert-bind operations, such as with back_ldap, it would
> be
> great if an option could be added which would allow specific matched
> client DNs
> to be matched and asserted as usual (e.g: the anonymous user asserting to
> a
> backend "proxyauthenticator" account) .... while other clients (flagged
> somehow)
> would pass-through as themselves.
>
> Example (as I might do it for my purposes):
>
> idassert-bind
> bindmethod="simple"
> binddn="uid=proxyauthenticator,ou=users,dc=example,dc=com"
> credentials="password_string"
> starttls="yes"
> tls_reqcert="never"
> mode="none"
>
> # anonymous clients will assert as "proxyauthenticator", since the backend
> may
> not allow anonymous binds.
> idassert-authzFrom "dn.exact:"
>
> # this guy will pass through as himself to the backend, as-is.
> idassert-passThrough "dn.exact:uid=admin,ou=users,dc=example,dc=com"
>
> This would be really helpful, not sure if its difficult to implement ...
This is now implemented in back-ldap (idassert-passthru,
olcDbIDAssertPassThru, undocumented yet). Basically, identities matching
rules formally identical to those of idassert-authzFrom do not undergo
identity assertion. This rule is checked before idassert-authzFrom, so in
case an identity matches both, passthru wins.
Please test and report.
p.