Emmanuel Dreyfus wrote:
Pierangelo Masarati ando@sys-net.it wrote:
Yes. You should map the identity of the certificate DN onto some existing identity on the producer using the authz-regexp directive, and then add to that identity an authzTo rule that allows it to authorize as anyone (or as those that are authorized to exploit this feature).
I got it working. Here is what I have, I'd be glad if you could confirm me that I did not introduce security holes:
On the replica: overlay chain chain-uri ldaps://ldap0.example.net chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=bugworkaround" mode=self chain-idassert-authzFrom "*" chain-return-error TRUE
On the master: authz-policy to authz-regexp cn=ldap1.example.net cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net authz-regexp cn=ldap2.example.net cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
access to attrs=authzTo by * read stop
In the DIT: dn: ou=pseudo-user,dc=example,dc=net objectClass: organizationalUnit ou: pseudo-user
dn: cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net objectClass: organizationalRole cn: ldap1.example.net ou: pseudo-user authzTo: *
dn: cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net objectClass: organizationalRole cn: ldap2.example.net ou: pseudo-user authzTo: *
Correct. See my previous message.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------