Emmanuel Dreyfus wrote:
It does alter the behavior: now I get this on the master Sep 9 23:41:10 ldap0 slapd[5365]: conn=170 op=1 RESULT tag=103 err=47 text=not authorized to assume identity
And the BIND operation still shows the TLS certificate DN for both authzid and authcid: the binddn or authcid I provide does not appear.
That's expected: it is only needed by an internal check that decides whether to proxyAuthz or not. I've fixed this in HEAD/re24/re23, if you could try it... it's a trivial patch from back-ldap/bind.c you can pull from the CVS.
Do I miss some directive on the master to allow the proxy authorization?
Yes. You should map the identity of the certificate DN onto some existing identity on the producer using the authz-regexp directive, and then add to that identity an authzTo rule that allows it to authorize as anyone (or as those that are authorized to exploit this feature).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------