[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Meta Idassert-bind

***  Before acting on this email or opening any attachment you are advised to read the disclaimer at the end of this email ***

If it helps at all, I'm running 2.4.11 under SLES 10.

>>> "Andrew Graham" <andrew.graham@agustawestland.com> 25/07/2008 11:37
I have moved local users into a seperate branch of the local DIT, set
idassert-authzFrom to this branch and set the 'non-prescriptive' flag
the targets.

With this config, remote users can bind correctly to a target. If
another target is in the scope of the query, openldap will attempt to
bind with no credentials. This behaviour is fine.

If the root user binds to the local database, openldap will use bind
all targets in scope with the full idassert credentials.

If a local user (but not root) binds to the local database, openldap
uses the idassert dn to bind, but does not supply a password. This is
now the problem, as most of my targets require a successful bind in
order to perform queries.



Andrew Graham
AgustaWestland UK
Tel No: +44 (0) 1935 70 4421

>>> Pierangelo Masarati <ando@sys-net.it> 25/07/2008 10:59 >>>

> I've been racking my brains trying to understand the syntax of
> idassert-bind. 
> In my current setup I have a local bdb database with some users and
> the
> base entry for the tree. I have a meta database that is subordinate
> to
> the bdb database. 
> If I bind to the proxy as root, and search for anything, with any
> base
> (within the tree) openldap will bind to the relevant targets using
> the
> credentials defined in the idassert-bind directives. 
> If I bind to the proxy as a user that exists locally (within the bdb
> database) but not in any of the targets, openldap will bind to the
> targets anonymously using the dn defined in idassert-bind but no
> password.  
> If I bind to the proxy as a user that exists in one of the targets,
> it
> will bind to that target with the supplied credentials, and bind
> anonymously using the dn defined in idassert-bind to all other
> targets
> within scope.
> Ideally, I would like the following situation:
> If a user binds with local credentials, openldap should bind to the
> targets with the credentials supplied with idassert-bind. 
> If a user binds with remote credentials, openldap should bind to
> target with the credentials supplied by the user, and either bind to
> the
> other targets using the pre-defined credentials OR not attempt to
> bind
> to those targets.

If I get your wishes correctly, you should work at the
idassert-authzFrom level to only enable identity assertion for local
users, disabling it for remote users.  You may need to set
"non-prescriptive" in order to allow non-authorized users to connect


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it 

*** Disclaimer ***
The information contained in this E-Mail and any subsequent correspondence may be subject to the Export Control Act (ECA) 2002. The content is private and is intended solely for the recipient(s). 
For those other than the recipient any disclosure, copying, distribution, or action taken, or omitted to be taken, in reliance on such information is prohibited and may be unlawful.

If received in error please return to sender immediately.

Under the laws of England misuse of information that is subject to the ECA 2002, is a criminal offence.

Westland Helicopters Ltd 
Lysander Road 
Yeovil BA20 2YB 

Registered in England under No 604352