--On Tuesday, April 02, 2019 12:39 AM +0200 Patrik Lundin patrik@sigterm.se wrote:
Hello,
What is the proper way to make sure only non-anonymous binds are allowed to utilize idassert-bind credentials?
Hi Patrik,
I had an extensive discussion with Howard about this today. Here's the summary:
a) The FAQ is incorrect (I will fix this). b) Pierangelo's email is correct c) "dn:*" and "dn.regex=.*" are equivalent d) The slapd-ldap man page needs to be fixed. I will file an ITS on this. The idassert-authzFrom directive follows the same rules as described in the slapd.conf(5) man page for authz-policy EXCEPT for it special casing "*" to allow anonymous to work.
Hope that helps!
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com