What is the proper way to make sure only non-anonymous binds are allowed
to utilize idassert-bind credentials?
the following is
Authorize only non-anonymous:
It also states:
The idassert-authzFrom mechanism controls whether a client's identity
can be asserted or not. The idassert-authzFrom mechanism basically
selects what identities can access the identity assertion feature, and
indeed should be considered as the set of values of the authzFrom
attribute associated to the administrative identity, with the essential
difference that, if not present, by default every identity is
authorized, including anonymous.
These excerpts makes me believe that the expected default behaviour is that a
missing idassert-authzFrom will allow anyone, even anonymous binds. That
a pattern of "*" is supposed to match non-anon binds is also stated in
the slapd.conf man page (https://linux.die.net/man/5/slapd.conf
A pattern of * means any non-anonymous DN.
Then there is this contradictory message I found while looking through
If you want idassert to work also for anonymous operations (not
recommended, as this defeats the security model of the remote server, by
letting it believe that the proxy authenticated users while it didn't),
you need to explicitly enable it using an idassert-authzFrom rule that
includes anonymous, like
This is more in line with my tests, where removing the
"idassert-authzFrom" all together stops an anonymous ldapsearch from
returning a result, while adding 'idassert-authzFrom "dn:*"' makes it
return results for the anon bind.
I realize there is a difference between the the line from the FAQ
("dn:*") and the line from the mailing list ("dn.regex:.*") but
... it appears to me that "*", "dn:*" and "dn.regex:.*" are
be equivalent. I am using the meta backend, but I'm guessing they are
sharing code in this case.
The man page for slapd-meta does not state what the result of not
configuring a "idassert-authzFrom" is though it seems to yield the
results I want (that only properly authenticated connections can make
use of the idassert-bind credentials).
I'm guessing one way to make sure only authenticated clients can do
anything is to add "require authc" to the config, but it is hard to tell
how these things interact, and it would be nice to know what the
expected way to configure idassert-authzFrom is (even if it means
leaving it unset).