Pierangelo Masarati ando@sys-net.it wrote:
And the BIND operation still shows the TLS certificate DN for both authzid and authcid: the binddn or authcid I provide does not appear.
That's expected: it is only needed by an internal check that decides whether to proxyAuthz or not. I've fixed this in HEAD/re24/re23, if you could try it... it's a trivial patch from back-ldap/bind.c you can pull from the CVS.
That patch fix the problem alone, or I also need authz-regexp? For OpenLDAP 2.3.38, I just need bind.c 1.85.2.36-1.85.2.37, right? No other file is to be changed?
Do I miss some directive on the master to allow the proxy authorization?
Yes. You should map the identity of the certificate DN onto some existing identity on the producer using the authz-regexp directive, and then add to that identity an authzTo rule that allows it to authorize as anyone (or as those that are authorized to exploit this feature).
Something like this? (I have never used that statements before) authz-regexp cn=ldap1.example.net uid=ldap1,ou=pseudousers,dc=example,dc=net authzTo dn.exact="uid=ldap1,ou=pseudousers,dc=example,dc=net"
Do I need authz-policy?