[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-chain



Emmanuel Dreyfus wrote:
> Pierangelo Masarati <ando@sys-net.it> wrote:
> 
>> Yes.  You should map the identity of the certificate DN onto some
>> existing identity on the producer using the authz-regexp directive, and
>> then add to that identity an authzTo rule that allows it to authorize as
>> anyone (or as those that are authorized to exploit this feature).
> 
> I got it working. Here is what I have, I'd be glad if you could confirm
> me that I did not introduce security holes:
> 
> 
> On the replica:
> overlay                         chain
> chain-uri                       ldaps://ldap0.example.net
> chain-idassert-bind     bindmethod=sasl
>                                 saslmech=EXTERNAL
>                         binddn="cn=bugworkaround"
>                                 mode=self
> chain-idassert-authzFrom "*"
> chain-return-error      TRUE
> 
> 
> On the master:
> authz-policy            to
> authz-regexp    cn=ldap1.example.net
>                 cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net
> authz-regexp    cn=ldap2.example.net
>                 cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
> 
> access to attrs=authzTo 
>     by * read stop
> 
> 
> In the DIT:
> dn: ou=pseudo-user,dc=example,dc=net
> objectClass: organizationalUnit
> ou: pseudo-user
> 
> dn: cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net
> objectClass: organizationalRole
> cn: ldap1.example.net
> ou: pseudo-user
> authzTo: *
> 
> dn: cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
> objectClass: organizationalRole
> cn: ldap2.example.net
> ou: pseudo-user
> authzTo: *

Correct.  See my previous message.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------