[Date Prev][Date Next] [Chronological] [Thread] [Top]

(ITS#9003) Update slapd-ldap(5) idassert-authzfrom for policy difference

To: openldap-its@OpenLDAP.org
Subject: (ITS#9003) Update slapd-ldap(5) idassert-authzfrom for policy difference
From: quanah@openldap.org
Date: Thu, 04 Apr 2019 16:07:37 +0000
Auto-submitted: auto-generated (OpenLDAP-ITS)

Full_Name: Quanah Gibson-Mount
Version: 2.4.47
OS: N/A
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (47.208.144.40)


The slapd-ldap(5) man page has the following statement:

       idassert-authzFrom <authz-regexp>
              if  defined,  selects  what  local  identities are authorized to
              exploit the identity  assertion  feature.   The  string  <authz-
              regexp>  follows  the rules defined for the authzFrom attribute.
              See slapd.conf(5), section related to authz-policy, for  details
              on the syntax of this field.

However, it deviates from the rules laid out in the authz-policy section in that
the special case of "*" has a different meaning for slapd-ldap/slapd-meta.  In
their case, this *allows* anonymous, while in the authz-policy case, anonymous
is denied.  This exception to the normal behavior needs to be noted.

Prev by Date: Re: (ITS#8875) [Patch] Performance problems in back-mdb with large DITs and many aliases
Next by Date: Re: (ITS#8875) [Patch] Performance problems in back-mdb with large DITs and many aliases
Index(es):
- Chronological
- Thread