Pierangelo Masarati ando@sys-net.it wrote:
Yes. You should map the identity of the certificate DN onto some existing identity on the producer using the authz-regexp directive, and then add to that identity an authzTo rule that allows it to authorize as anyone (or as those that are authorized to exploit this feature).
I got it working. Here is what I have, I'd be glad if you could confirm me that I did not introduce security holes:
On the replica: overlay chain chain-uri ldaps://ldap0.example.net chain-idassert-bind bindmethod=sasl saslmech=EXTERNAL binddn="cn=bugworkaround" mode=self chain-idassert-authzFrom "*" chain-return-error TRUE
On the master: authz-policy to authz-regexp cn=ldap1.example.net cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net authz-regexp cn=ldap2.example.net cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net
access to attrs=authzTo by * read stop
In the DIT: dn: ou=pseudo-user,dc=example,dc=net objectClass: organizationalUnit ou: pseudo-user
dn: cn=ldap1.example.net,ou=pseudo-user,dc=example,dc=net objectClass: organizationalRole cn: ldap1.example.net ou: pseudo-user authzTo: *
dn: cn=ldap2.example.net,ou=pseudo-user,dc=example,dc=net objectClass: organizationalRole cn: ldap2.example.net ou: pseudo-user authzTo: *