Am 15.12.22 um 14:24 schrieb Ondřej Kuzník:
It's not possible inside lloadd but when lloadd uses an identity A and a client binds with identity B, then sends an operation to it, what the backend receives is an operation with proxyauthz carrying B over a connection bound to A. If authz-policy says that's allowed, normal processing is done with B's identity (you can use the prefix "real" to check A's identity in ACLs if needed, see man slapd.access).
Ok, that's the part I understand :-). My user uid=lloadd opend the connections to my backend-server. I can see that inside the logs. It's clear My uid=repl-user sends a request to my loadbalancer(LB). The LB sends the request over one of the opend connections as uid=repl-user, but the backend-server can't authenticate uid=repl-user that's where the authz-policy should work. Also clear. What is still not clear: How do I configure it? Maybe it's because I'm not a native English speeker, its sometimes hard for me to understand. I understand that the default for authz-policy is "none". The manpage said activate it if you need it. So I used the following ldif: -------------- dn: cn=config changetype: modify replace: olcAuthzpolicy olcAuthzpolicy: any -------------- Or do i have to set it inside the database for my object?
Then I changed the uid=lloadd to: ----------------------- dn: uid=lloadd,ou=users,dc=example,dc=net objectClass: account objectClass: simpleSecurityObject objectClass: top uid: lloadd userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$MTIz.. authzFrom: ldap:///dc=example,dc=net??sub?(uid=*) -----------------------
But still not working. I also try it with "authzTo", but same result. As I read in man slapd.conf. At the beginning I just whant to get it working, then comes the security part. So I allow all uids.