[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: identity assertion

On Fri, 20 Jan 2006, Pierangelo Masarati wrote:

>What I don't follow you about is why are you trying to put back-ldap in
>the middle.  Isn't your problem about finding some way to allow regular
>users to access the cn=config tree?  You don't need back-ldap, you just
>need to be able to authorize users to assume the identity you specified
>as rootdn of the cn=config database.  Slapd allows you to do that
>without back-ldap.  You could also do something like
>authz-policy	from
>database        config
>rootdn          "cn=config,dc=test"
>Then, in the "dc=test" database you can add a "cn=config,dc=test" entry
>and, in that entry, add "authzFrom" rules that allow those users you
>intend to authorize.  The "dc=test" database can be of any type that
>allows you to store an entry with the "authzFrom" attribute.

I already have my target directory set up that way but I don't know how to
do identity assertion from a regular ldap client without using SASL.  Is
there a way?  For instance, the following fails with "ldapsearch: not
compiled with SASL support"

ldapsearch -x -W -D cn=authorizeduser,dc=test -X cn=config,dc=test

Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342