[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
(ITS#9003) Update slapd-ldap(5) idassert-authzfrom for policy difference
- To: openldap-its@OpenLDAP.org
- Subject: (ITS#9003) Update slapd-ldap(5) idassert-authzfrom for policy difference
- From: quanah@openldap.org
- Date: Thu, 04 Apr 2019 16:07:37 +0000
- Auto-submitted: auto-generated (OpenLDAP-ITS)
Full_Name: Quanah Gibson-Mount
Version: 2.4.47
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.144.40)
The slapd-ldap(5) man page has the following statement:
idassert-authzFrom <authz-regexp>
if defined, selects what local identities are authorized to
exploit the identity assertion feature. The string <authz-
regexp> follows the rules defined for the authzFrom attribute.
See slapd.conf(5), section related to authz-policy, for details
on the syntax of this field.
However, it deviates from the rules laid out in the authz-policy section in that
the special case of "*" has a different meaning for slapd-ldap/slapd-meta. In
their case, this *allows* anonymous, while in the authz-policy case, anonymous
is denied. This exception to the normal behavior needs to be noted.