On Thu, Apr 04, 2019 at 09:01:23AM -0700, Quanah Gibson-Mount wrote:
I had an extensive discussion with Howard about this today. Here's the summary:
a) The FAQ is incorrect (I will fix this). b) Pierangelo's email is correct c) "dn:*" and "dn.regex=.*" are equivalent d) The slapd-ldap man page needs to be fixed. I will file an ITS on this. The idassert-authzFrom directive follows the same rules as described in the slapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" to allow anonymous to work.
Thanks a lot for the clarifictions! Here is the link to the ITS ticket which was communicated via IRC if anyone else is interested: https://www.openldap.org/its/index.cgi/?findid=9003
It would be nice if the man page update included mention of the default behavior when idassert-authzFrom is not set at all. Since the text currently reads "if defined, selects what local identities are authorized to exploit the identity assertion feature" it is hard to tell what happens if it is not defined. Is any identity allowed since there is no filter? Is no identity allowed since there is no filter?
I believe the correct answer is "any identity except anonymous is allowed", and it would be great if this was explicit.
Going back to my original question:
What is the proper way to make sure only non-anonymous binds are allowed to utilize idassert-bind credentials?
Given the above information the proper way would be to not set idassert-authzFrom at all.
Thanks again for taking the time to sort this out!
Regards, Patrik Lundin