[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: idassert-authzFrom: Proper way to include only non-anonymous binds

To: Patrik Lundin <patrik@sigterm.se>, openldap-technical@openldap.org
Subject: Re: idassert-authzFrom: Proper way to include only non-anonymous binds
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Thu, 04 Apr 2019 09:01:23 -0700
Content-disposition: inline
In-reply-to: <20190401213925.GA72625@shell1.sigterm.se>
References: <20190401213925.GA72625@shell1.sigterm.se>

--On Tuesday, April 02, 2019 12:39 AM +0200 Patrik Lundin<patrik@sigterm.se> wrote:

Hello,

What is the proper way to make sure only non-anonymous binds are allowed
to utilize idassert-bind credentials?


Hi Patrik,

I had an extensive discussion with Howard about this today. Here's thesummary:


a) The FAQ is incorrect (I will fix this).
b) Pierangelo's email is correct
c) "dn:*" and "dn.regex=.*" are equivalent

d) The slapd-ldap man page needs to be fixed. I will file an ITS on this.The idassert-authzFrom directive follows the same rules as described in theslapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" toallow anonymous to work.


Hope that helps!

Regards,
Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: idassert-authzFrom: Proper way to include only non-anonymous binds
  - From: Patrik Lundin <patrik@sigterm.se>

References:
- idassert-authzFrom: Proper way to include only non-anonymous binds
  - From: Patrik Lundin <patrik@sigterm.se>

Prev by Date: Re: Replication delay
Next by Date: Re: Antw: Re: (was: Help needed: "glued" object.)
Index(es):
- Chronological
- Thread