Hi!
It works this way:
[...]
Ok. But in the very case, it's actually not the client who would want to read the authzTo attribute, but Server B. Server B tries to decide if a specific user who authenticated is allowed to assume the authorization of a different user. For that reason, Server B tries to read the authzTo attribute of the user object. That user object lives on Server A and does not have an authzTo attribute but only a saslAuthzTo attribute, due to the fact that the name of that internal attribute changed between 2.2 and 2.3.
We can see Server B querying Server a for the authzTo attribute. So that part is fine.
From the log files I can see there is something like "internal search". Would an overlay and a rwn-map apply to such an internal search as well?
Regards, Torsten
Pierangelo Masarati wrote:
Torsten Schlabach (Tascel eG) wrote:
Pierangelo!
I will happily provide some detailed debugging output. I just wanted to make sure that I understood the concept of rwm-map properly. So looking at our config, there isn't anything obvious that we have missed?
No.
Just to confirm:
We have
Server A <--- Server B <--- Client (bdb) (ldap)
I need the overlay to happen between Server B and Server A, not between the the client an Server B.
The manual isn't that detailed ... Or did I miss anything.
It works this way:
<--- saslAuthzTo <--- <--- authzTo <---Server A Server B Client ---> saslAuthzTo ---> ---> authzTo --->
(bdb) (ldap+rwm)
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it