[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd-ldap configuration and identity assertion



I think my problem at this point is that I can't seem to get back-ldap to
use the authzID to try to assert another identity.

If I have the following then all operations are carried out as the
binddn, which is what I would expect.

idassert-bind bindmethod=simple
 binddn="cn=erici,dc=cc,dc=utexas,dc=edu"
 credentials="hithere"
 mode=none


And if I set mode=self then I see things like the following in the logs
and I gather that appropriate things are happening.

==>slap_sasl_authorized: can cn=erici,dc=cc,dc=utexas,dc=edu become
(null)?
==>slap_sasl_check_authz: does cn=erici,dc=cc,dc=utexas,dc=edu match
authzFrom rule in ?
<==slap_sasl_check_authz: authzFrom check returning 32
<== slap_sasl_authorized: return 48
<= get_ctrls: n=1 rc=47 err="not authorized to assume identity"


But I can't seem to get authzID to work as documented.  When I don't
specify 'mode' and I do specify authzID, I'm led to believe that I should
see a bind from the binddn and then an identity assertion to the authzID.

database        ldap
suffix          dc=test
uri             "ldap://localhost:1389";
idassert-bind   bindmethod=simple
 binddn="cn=erici,dc=cc,dc=utexas,dc=edu"
 credentials="hithere"
 authzID="dn:cn=config,dc=test"
idassert-authzFrom "dn.regex:.*"

Instead, the connection gets relayed without using the binddn or the
authzID as if I hadn't used idassert-bind at all.

Am I missing something?

-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342