Ulrich Windl wrote:
I have a question: You can define roles for authentication this way:
You probably are talking about authorization, not authentication.
Multiple DNs can be members of a group/rolem, and you can use group names when assigning ACLs. To authenticate, a user will use his DN and own password.
Now when a DN is member of multiple roles/groups, authenticating as member assignes all the rights each group/role has.
It depends. Note that order of the ACLs and <who> clause within ACLs is significant.
The idea of a role however is that a user "changes hats", depending on the task he is doing.
I wonder: Is it possibe to authenticate with a group/role's DN and the user's (a memeber) password?
Or is there some other mechanism to accieve what I want?
You could allow a single authenticated user to define a certain authz identity. You should make yourself familiar with SASL authz-ID, proxy authz and authzTo/authzFrom attributes.
If you're still feeling hungry for more intellectual input you can dive into various RBAC approaches presented at LDAPcon 2011 and 2013.
But IMO there's not much point in doing so because if the user's credentials are intercepted the attacker can gain access to any role.
Ciao, Michael.