On Thu, Apr 04, 2019 at 09:01:23AM -0700, Quanah Gibson-Mount wrote:
I had an extensive discussion with Howard about this today. Here's the
a) The FAQ is incorrect (I will fix this).
b) Pierangelo's email is correct
c) "dn:*" and "dn.regex=.*" are equivalent
d) The slapd-ldap man page needs to be fixed. I will file an ITS on this.
The idassert-authzFrom directive follows the same rules as described in the
slapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" to
allow anonymous to work.
Thanks a lot for the clarifictions! Here is the link to the ITS ticket
which was communicated via IRC if anyone else is interested:
It would be nice if the man page update included mention of the default
behavior when idassert-authzFrom is not set at all. Since the text
currently reads "if defined, selects what local identities are
authorized to exploit the identity assertion feature" it is hard to tell
what happens if it is not defined. Is any identity allowed since there
is no filter? Is no identity allowed since there is no filter?
I believe the correct answer is "any identity except anonymous is
allowed", and it would be great if this was explicit.
Going back to my original question:
> What is the proper way to make sure only non-anonymous binds are allowed
> to utilize idassert-bind credentials?
Given the above information the proper way would be to not set
idassert-authzFrom at all.
Thanks again for taking the time to sort this out!