[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion

Eric Irrgang wrote:
If you want to be able to do a simple bind as one DN but perform actions
as another DN, you need to use some sort of identity assertion. Is there
a way to do this without using back-ldap?

It's called Proxy Authorization. Some SASL mechanisms allow it, in which case your identity is changed for the entire duration of the session. You can also attach a ProxyAuthorization control to individual operations after authenticating normally.
Specifically, I'm trying to work around the lack of ACL access to the
config backend by allowing specific DNs to assert the cn=config rootDN.
I've got rootdn for cn=config set to cn=config,dc=test and an entry in a
bdb backend for cn=config,dc=test with a authzFrom attribute set.

I suspect we will be adding normal ACL checking to back-config in the near future. You'll just have to be *extremely* careful about you configure things.
So I just need to bind as a user that is authorized with the authzFrom and
assert the cn=config,dc=test identity, right?


-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/