[Date Prev][Date Next]
Pierangelo Masarati <firstname.lastname@example.org> wrote:
> > And the BIND operation still shows the TLS certificate DN for both
> > authzid and authcid: the binddn or authcid I provide does not appear.
> That's expected: it is only needed by an internal check that decides
> whether to proxyAuthz or not. I've fixed this in HEAD/re24/re23, if you
> could try it... it's a trivial patch from back-ldap/bind.c you can pull
> from the CVS.
That patch fix the problem alone, or I also need authz-regexp?
For OpenLDAP 2.3.38, I just need bind.c 220.127.116.11-18.104.22.168, right? No
other file is to be changed?
> > Do I miss some directive on the master to allow the proxy authorization?
> Yes. You should map the identity of the certificate DN onto some
> existing identity on the producer using the authz-regexp directive, and
> then add to that identity an authzTo rule that allows it to authorize as
> anyone (or as those that are authorized to exploit this feature).
Something like this? (I have never used that statements before)
Do I need authz-policy?