--On Friday, February 28, 2020 11:11 PM +0100 Dieter Bocklandt dieterbocklandt@gmail.com wrote:
However, we also have a service using SASL proxy authorization, in which case the authcid is used in the ProxyAuthz instead of the authorized authzid.
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 PROXYAUTHZ dn="cn=service,ou=system,dc=internal,dc=machines" Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 [IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] MOD dn="uid=sys.cp.test,ou=People,dc=internal,dc=machines"
Am I misunderstanding how this is supposed to work, am I hitting a certain limitation or maybe a bug? Let me know if you need any more details!
This looks to me like it:
a) Logs what the proxied identity is (PROXYAUTHZ dn="cn=service,ou=system,dc=internal,dc=machine")
b) Logs what the actual identity making the changes is (USERNAME=cn=enduser,ou=People,dc=example,dc=net) and what IP address it came from (IP=10.243.72.199) so that if questions arise about who made a change, those questions can be answered from the logs.
I.e., I see both bits of information provided in the connection operation.
What makes you think you are hitting a limitation or a bug?
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com