[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: idassert-bind seems to ignore binddn
- To: openldap-technical@openldap.org
- Subject: Re: idassert-bind seems to ignore binddn
- From: Dieter Klünter <dieter@dkluenter.de>
- Date: Sat, 2 May 2015 09:53:13 +0200
- In-reply-to: <CAOJKoA+rF_pw5+3OngrFwrUUMC7CW=b6G0-u=u1H0y7CzWDkcw@mail.gmail.com>
- Organization: AVCI
- References: <CAOJKoALPAeakv73RxE=iqbV6hB_3aAroHtF6wjAv7s4_OMS8ww@mail.gmail.com> <6B0832746CAB284CF9B92918@192.168.1.9> <55432B2F.4090906@meddeb.net> <CAOJKoA+rF_pw5+3OngrFwrUUMC7CW=b6G0-u=u1H0y7CzWDkcw@mail.gmail.com>
Am Fri, 1 May 2015 09:58:35 -0700
schrieb Ryan Lovett <rylo@berkeley.edu>:
> According to http://www.openldap.org/faq/data/cache/532.html,
> idassert-authzFrom
> is not needed in this case. Here is the example:
>
> To allow (dumb) clients that do not perform bind to access servers
> that
> > require bind (and some ssf) by asserting some static identity (the
> > dn:<dn>, or even the anonymous mode, to implement the "sandbox"
> > user described above) without any idassert-authzFrom rule in place:
> > database ldap
> > suffix "dc=example,dc=com"
> > uri "ldap://ldap.example.com";
> > idassert-bind bindmethod=simple
> > binddn="cn=Proxy,dc=example,dc=com"
> > credentials=proxy
> > authzID="dn:cn=Sandbox,dc=example,dc=com"
> > If no authzID is given, and mode is set to none (for instance
> > because the remote server does not support the proxyAuthz control),
> > the clients will be authorized as "cn=Proxy,dc=example,dc=com" even
> > if they actually connected anonymously to the proxy. Beware that
> > this may be a significant security breach, if that identity is
> > granted anything but anonymous read privileges.
[...]
did you create a authz-policy rule in slapd.conf?
did you add an autzTo attribute to the entry cn=Proxy,dc=example,dc=com=
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E