[Date Prev][Date Next] [Chronological] [Thread] [Top]

SOLVED (was Re: Proxy authorization not working with ldapdb as auxprop_plugin)

Hi List-

Boy, I feel like an idiot.

I solved the problem by getting some sleep and then searching through
man 5 slapd.conf for saslAuthzTo and thereby found the sasl-authz-policy
parameter which worked as advertised.

Then, thinking that the Admin Guide should have mentioned that
parameter, I discovered that it did mention it.  I just had to read the
_whole_ of 10.3 to find it.  Foolishly, I saw this (below) in the Admin
Guide and stopped reading there.

Since the default behaviour is to deny authorization requests, rules
only specify that a request be allowed; there are no negative rules
telling what authorizations to deny.

The value(s) in the two attributes are of the same form as the output of
the replacement pattern of a sasl-regexp directive: either a DN or an
LDAP URL. For example, if a saslAuthzTo value is a DN, that DN is one
the authenticated user can authorize to. On the other hand, if the
saslAuthzTo value is an LDAP URL, the URL is used as an internal search
of the LDAP database, and the authenticated user can become ANY DN
returned by the search. If an LDAP entry looked like:

        dn: cn=WebUpdate,dc=example,dc=com
        saslAuthzTo: ldap:///dc=example,dc=com??sub?(objectclass=Person)

then any user who authenticated as cn=WebUpdate,dc=example,dc=com could
authorize to any other LDAP entry under the search base
dc=example,dc=com which has an objectClass of Person.

So, my thinking was simply that if I put an appropriate value in to the
saslAuthzTo attribute, I was done.

Sorry for the trouble...

Maybe I need to keep my mouth shut in here for awhile.  Seems like I end
up putting my foot (feet?) in it more often than not...