[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion

What I don't follow you about is why are you trying to put back-ldap in
the middle.  Isn't your problem about finding some way to allow regular
users to access the cn=config tree?  You don't need back-ldap, you just
need to be able to authorize users to assume the identity you specified
as rootdn of the cn=config database.  Slapd allows you to do that
without back-ldap.  You could also do something like

authz-policy	from

database        config
rootdn          "cn=config,dc=test"

Then, in the "dc=test" database you can add a "cn=config,dc=test" entry
and, in that entry, add "authzFrom" rules that allow those users you
intend to authorize.  The "dc=test" database can be of any type that
allows you to store an entry with the "authzFrom" attribute.


On Fri, 2006-01-20 at 13:53 -0600, Eric Irrgang wrote:
> On Fri, 20 Jan 2006, Pierangelo Masarati wrote:
> >the authorization you're trying to use.  Note that since the cn=config
> >rootdn is not going to be a real entry, you won't be able to add any
> >"authzFrom" to it; you'll have to add "authzTo: dn.exact:cn=config" to
> >the entry of the identity you're binding as, and allow "to"
> >authorization by using "authz-policy to".
> To clarify, aren't I correct in thinking that specifying a rootdn that is
> a real entry will allow me to use a real DN to be authorized for cn=config
> and thus be able to use authzFrom?
> For instance, for cn=config I specified a rootdn of cn=config,dc=test and
> then in dc=test I added an entry for cn=config,dc=test and set the
> userPassword attribute.  Then I was able to bind as cn=config,dc=test and
> get at cn=config
> I think my problem at this point is that I can't seem to get back-ldap to
> try to assert any identity other than the DN used by the client to
> authenticate.  I see no evidence in the output from '-d -1' that back-ldap
> is even trying to assert a new identity.  I'll try to get data from a
> simpler example and post a more general question, but do you see anything
> wrong with the following?
> database	ldap
> suffix		dc=test
> uri		"ldap://localhost:1389";
> idassert-bind	bindmethod=simple
> 		authzID="dn:cn=config,dc=test"
> idassert-authzFrom "dn:*"

Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it