Emmanuel Dreyfus wrote:
That patch fix the problem alone, or I also need authz-regexp?
The two things are orthogonal:
- if you want the identity slapo-chain binds as to be allowed to authorize others, even if those do not exist in the database, you'll need to populate this identity's authzTo.
- In order to do this, that identity must exist in the database.
- So, if the DN resulting from a SASL bind does not exist in the database, you'll have to map it to an existing one using authz-regexp.
So your identity is actually undergoing two transformations:
1) cert DN -> existing DN, for the sole purpose of granting existing DN some permissions it needs to authorize other users; this is done by the authz-regexp directive alone
2) existing DN -> authorized DN via proxyAuthz, to actually perform the operation with the asserted identity; this transformation requires existing DN to be allowed to authorize as authorized DN, so requires an appropriate combination of the authz-policy parameters and of th authzTo attribute in the existing DN's entry.
Hope it's clear now.
For OpenLDAP 2.3.38, I just need bind.c 1.85.2.36-1.85.2.37, right? No other file is to be changed?
Yes. This patch only fixes a malformed internal test which required the authcId or the binddn to be present for proxyAuthz use in identity assertion, even though there are SASL mechs (like EXTERNAL) that do not make use of authcID. This patch lets things work without the need to set an otherwise unused authcId parameter in the idassert configuration.
Do I miss some directive on the master to allow the proxy authorization?
Yes. You should map the identity of the certificate DN onto some existing identity on the producer using the authz-regexp directive, and then add to that identity an authzTo rule that allows it to authorize as anyone (or as those that are authorized to exploit this feature).
Something like this? (I have never used that statements before) authz-regexp cn=ldap1.example.net uid=ldap1,ou=pseudousers,dc=example,dc=net
authzTo dn.exact="uid=ldap1,ou=pseudousers,dc=example,dc=net"
Yes for the authz-regexp, No for the authzTo. For example, if the DN in the consumer's cert is "cn=cert", and you want it to be mapped to "cn=consumer", so that it can only authorize users whose DN is of the form "uid=foobar,ou=writers", you need to:
- add
authz-policy to authz-regexp "^cn=cert$" "cn=consumer"
Then you need to modify the "cn=consumer" entry as follows:
dn: cn=consumer changetype: modify add: authzTo authzTo: dn.regex:^uid=[^,]+,ou=writers$
See http://www.openldap.org/faq/data/cache/1254.html for details on the syntax of authzTo.
Now you need to carefully protect the authzTo attribute, otherwise, for example, those who can modify it for self would be able to authorize as the rootdn. Something like
access to attrs=authzTo by * auth
Do I need authz-policy?
Yes, see above.
I'd appreciate if you could turn this, in due course, and as soon as detail shake down, into a FAQ entry. I think the subject belongs to chaining, which could go into the description of slapo-chain. Explicit reference to replication could be added.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------