Re: slapo-chain

[Pierangelo Masarati <ando@sys-net.it>]

Emmanuel Dreyfus wrote:

> That patch fix the problem alone, or I also need authz-regexp?

The two things are orthogonal:

- if you want the identity slapo-chain binds as to be allowed to
authorize others, even if those do not exist in the database, you'll
need to populate this identity's authzTo.

- In order to do this, that identity must exist in the database.

- So, if the DN resulting from a SASL bind does not exist in the
database, you'll have to map it to an existing one using authz-regexp.

So your identity is actually undergoing two transformations:

1) cert DN -> existing DN, for the sole purpose of granting existing DN
some permissions it needs to authorize other users; this is done by the
authz-regexp directive alone

2) existing DN -> authorized DN via proxyAuthz, to actually perform the
operation with the asserted identity; this transformation requires
existing DN to be allowed to authorize as authorized DN, so requires an
appropriate combination of the authz-policy parameters and of th authzTo
attribute in the existing DN's entry.

Hope it's clear now.

> For OpenLDAP 2.3.38, I just need bind.c 1.85.2.36-1.85.2.37, right? No
> other file is to be changed?

Yes.  This patch only fixes a malformed internal test which required the
authcId or the binddn to be present for proxyAuthz use in identity
assertion, even though there are SASL mechs (like EXTERNAL) that do not
make use of authcID.  This patch lets things work without the need to
set an otherwise unused authcId parameter in the idassert configuration.

>>> Do I miss some directive on the master to allow the proxy authorization?
>> Yes.  You should map the identity of the certificate DN onto some
>> existing identity on the producer using the authz-regexp directive, and
>> then add to that identity an authzTo rule that allows it to authorize as
>> anyone (or as those that are authorized to exploit this feature).
> 
> Something like this? (I have never used that statements before)
> authz-regexp
>         cn=ldap1.example.net
>         uid=ldap1,ou=pseudousers,dc=example,dc=net


> authzTo dn.exact="uid=ldap1,ou=pseudousers,dc=example,dc=net" 

Yes for the authz-regexp, No for the authzTo.  For example, if the DN in
the consumer's cert is "cn=cert", and you want it to be mapped to
"cn=consumer", so that it can only authorize users whose DN is of the
form "uid=foobar,ou=writers", you need to:

- add

authz-policy to
authz-regexp "^cn=cert$" "cn=consumer"

Then you need to modify the "cn=consumer" entry as follows:

dn: cn=consumer
changetype: modify
add: authzTo
authzTo: dn.regex:^uid=[^,]+,ou=writers$

See <http://www.openldap.org/faq/data/cache/1254.html> for details on
the syntax of authzTo.

Now you need to carefully protect the authzTo attribute, otherwise, for
example, those who can modify it for self would be able to authorize as
the rootdn.  Something like

access to attrs=authzTo
    by * auth

> Do I need authz-policy?

Yes, see above.

I'd appreciate if you could turn this, in due course, and as soon as
detail shake down, into a FAQ entry.  I think the subject belongs to
chaining, which could go into the description of slapo-chain.  Explicit
reference to replication could be added.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------