[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Auth access for search-based mappings?

> Quoting Michael Ströder <michael@stroeder.com>:
>> uid=([^,]*) looks strange to me. How about trying uid=([^,]+) instead?
> That would only help to avoid matching an empty uid. Anyway, we've
> already established that the problem is not the search pattern, but
> the authz-regexp replacement pattern. Howard has suggested an
> interesting LDAP search URL/URI; it may not work, but it looks like
> the right idea.
> Also, I'm still bothered by the note at the very end of section 15.2.6
> of the OpenLDAP admin manual. There's a similar note on the man page
> for slapd.conf:
>     "The protocol portion of the URI must be strictly ldap.
>     Note that this search is subject to access controls.
>     Specifically, the authentication identity must have
>     "auth" access in the subject."
> Perhaps Howard's URL is correct, but that this issue is keeping it
> from working. This is even what my question was originally about: What
> does this mean? Who is supposed to have auth access to what in order
> for this to work?

The "protocol" note means that you can only use a "ldap://"; URL type, not
a "ldaps://" or so.  This is to make sure one does not incorrectly assume
that requests can be directed to another server or so.

The "access" note means that an internal search will be performed.  This
implies that a searchBase object will be unvealed, the values of attrs
used in the filter will be compared to the asserted ones, and the DNs of
the resulting objects will be used for the mapping.  Access to all this
information will be required.  If the mapping is part of an
authentication, the request itself is anonymous until the bind succeeds. 
As a consequence, access to data required by the mapping will need to be
granted to anonymous.  For this reason, any "read" or "search" access
required by the internal lookup is relaxed to "auth", so you don't need to
endanger data confidentiality in order to allow identity mapping.

All of this is (partially) discussed in Section "OPERATION REQUIREMENTS"
of slapd.access(5).

Hope this helps.