andrew.findlay@skills-1st.co.uk wrote:
On Mon, Jun 16, 2008 at 08:06:17PM +0200, Pierangelo Masarati wrote:
Ah, OK. Note that since some point in 2.3, authorization is described by a specific syntax http://www.openldap.org/faq/data/cache/1254.html, which should probably be advertised a bit more (and moved out from the experimental OID arc).
If that is used *everywhere* for authorisation then there could well be more doc errors to correct. I am fairly sure I saw one place where the docs specifically exclude some of those forms.
Yes, I believe in some cases some of the variants of the syntax are not allowed. This is true, for example, in SASL identity mapping, which does not allow the regex, subtree, children, onelevel, group and users styles, only the base and uri forms are allowed (provided the latter only returns a single match).
I notice that '*' excludes anonymous in this spec. There is an undocumented option to 'allow' that seems relevant: proxy_authz_anon -
Why undocumented? It is documented (in 2.4, at least; it does not exist for 2.3).
would allowing this cause anon to be included in '*' generally or is it not that simple?
'*' implies a non-empty value; to include anonymous, use "dn.regex:.*", or "dn.subtree:".
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: ando@sys-net.it -----------------------------------
-
ando@sys-net.it