Emmanuel Dreyfus wrote: > Pierangelo Masarati <[EMAIL PROTECTED]> wrote: > >> Yes. You should map the identity of the certificate DN onto some >> existing identity on the producer using the authz-regexp directive, and >> then add to that identity an authzTo rule that allows it to authorize as >> anyone (or as those that are authorized to exploit this feature). > > I got it working. Here is what I have, I'd be glad if you could confirm > me that I did not introduce security holes: > > > On the replica: > overlay chain > chain-uri ldaps://ldap0.example.net > chain-idassert-bind bindmethod=sasl > saslmech=EXTERNAL > binddn="cn=bugworkaround" > mode=self > chain-idassert-authzFrom "*" > chain-return-error TRUE > > > On the master: > authz-policy to > authz-regexp cn=ldap1.example.net > cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net > authz-regexp cn=ldap2.example.net > cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net > > access to attrs=authzTo > by * read stop > > > In the DIT: > dn: ou=pseudo-user,dc=example,dc=net > objectClass: organizationalUnit > ou: pseudo-user > > dn: cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net > objectClass: organizationalRole > cn: ldap1.example.net > ou: pseudo-user > authzTo: * > > dn: cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net > objectClass: organizationalRole > cn: ldap2.example.net > ou: pseudo-user > authzTo: *
Correct. See my previous message. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
