[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: anonymous proxy and idassert-bind

On Lun 8 janvier 2007 17:19, Pierangelo Masarati a écrit :
> I have no idea of why it ever gets to return "no such object"; if the
> above is your slapd.conf, I see too many whitespaces in front of too
> many directives to yield a valid slapd-ldap configuration, though.

You were right. I thought I could use some indents like :
database ldap
	option	1
	option	2
	sub-section 1   (like idassert-bind)
		option1-of subsection1
		option2-of subsection1
	sub-section 2
		option1-of subsection2
		option2-of subsection2

For slaptest, everything is fine. The parser doesn't yell, but that change
slapd behaviour, randomly.
With this correction, the "no such object" error disapeared.

> In any case, if you specify flags=non-prescriptive, anonymous operations
> will not use identity assertion; in fact, non-prescriptive means that
> operations whose identity cannot be authorized are performed
> anonymously; the default is to reject them with "inappropriate
> authentication".

Ok, removed.

> A configuration like
> database        ldap
> suffix          "dc=example,dc=com"
> uri             ldap://:9011
> idassert-bind   bindmethod=simple
>                  mode=self
>                  binddn="cn=Manager,dc=example,dc=com"
>                  credentials="secret"
> idassert-authzFrom      "dn.regex:.*"
> will do the trick (although, with the above bug, no proxyauthz wil occur
> and, as such, the operation will be performed with the identity defined
> in binddn).

For informationnal purpose, here is our "database ldap" section, that works :
database ldap
lastmod         off
chase-referrals no
suffix          "dc=x1,dc=f0,dc=enterprise"
uri             "ldap://192.168.AD.IP:3268/";
idassert-bind   bindmethod=simple binddn="CN=user1,OU=FR
,dc=my,DC=firm,DC=com" credentials="secret" mode=anonymous
idassert-authzFrom "dn.regex:.*"

Thx for your help!