On Mon, Mar 09, 2020 at 07:47:17AM +0000, dieterbocklandt@gmail.com wrote:
When using SASL proxy authorization in conjunction with the identity assertion feature of back-ldap, the authentication ID is asserted instead of the expected authorization ID. A small concrete example (only referencing the relevant attributes):
Hi Dieter, can you post actual configuration, or even better, a script that could be used in ./tests/data/regressions?
Just before you do that, I've recently set up the same and if you have your back-ldap to use SASL binds, the code seems to be checking for simple identity is there before it decides to use proxyauthz. Adding a stanza like 'binddn=cn=unused' to the idassert-bind option has worked as a workaround for now.
Let me know if that helps in your case. Haven't had a chance to figure out what needs changing, so the regression script would be useful.
Regards,