Full_Name: Quanah Gibson-Mount Version: 2.4.47 OS: N/A URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (47.208.144.40) The slapd-ldap(5) man page has the following statement: idassert-authzFrom <authz-regexp> if defined, selects what local identities are authorized to exploit the identity assertion feature. The string <authz- regexp> follows the rules defined for the authzFrom attribute. See slapd.conf(5), section related to authz-policy, for details on the syntax of this field. However, it deviates from the rules laid out in the authz-policy section in that the special case of "*" has a different meaning for slapd-ldap/slapd-meta. In their case, this *allows* anonymous, while in the authz-policy case, anonymous is denied. This exception to the normal behavior needs to be noted.
has patch;IPR OK openldap-scratch
changed notes moved from Incoming to Documentation
https://git.openldap.org/openldap/openldap/-/merge_requests/11
https://git.openldap.org/openldap/openldap/-/merge_requests/15
Commits: • a5b8a41c by Quanah Gibson-Mount at 2020-04-01T19:40:27+00:00 ITS#9003 Note that with slapd-ldap, the special character "*" actually allows anonymous rather than denies, as is the case with authz-policy
• 468c8ee2 by Quanah Gibson-Mount at 2020-04-02T21:18:24+00:00 ITS#9003 Note that with slapd-ldap, the special character "*" actually allows anonymous rather than denies, as is the case with authz-policy