> Full_Name: J > Version: 2.4.20 > OS: Debian-Lenny/amd64 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (68.15.14.98) > > > Greetings, > > Having found out this doesn't already exist as another parameter or > configuration method, I am hereby submitting a request for a particular > feature. > > When performing idassert-bind operations, such as with back_ldap, it would > be > great if an option could be added which would allow specific matched > client DNs > to be matched and asserted as usual (e.g: the anonymous user asserting to > a > backend "proxyauthenticator" account) .... while other clients (flagged > somehow) > would pass-through as themselves. > > Example (as I might do it for my purposes): > > idassert-bind > bindmethod="simple" > binddn="uid=proxyauthenticator,ou=users,dc=example,dc=com" > credentials="password_string" > starttls="yes" > tls_reqcert="never" > mode="none" > > # anonymous clients will assert as "proxyauthenticator", since the backend > may > not allow anonymous binds. > idassert-authzFrom "dn.exact:" > > # this guy will pass through as himself to the backend, as-is. > idassert-passThrough "dn.exact:uid=admin,ou=users,dc=example,dc=com" > > This would be really helpful, not sure if its difficult to implement ...
This is now implemented in back-ldap (idassert-passthru, olcDbIDAssertPassThru, undocumented yet). Basically, identities matching rules formally identical to those of idassert-authzFrom do not undergo identity assertion. This rule is checked before idassert-authzFrom, so in case an identity matches both, passthru wins. Please test and report. p.
