--On Friday, February 28, 2020 11:11 PM +0100 Dieter Bocklandt
<dieterbocklandt(a)gmail.com> wrote:
However, we also have a service using SASL proxy authorization, in
which
case the authcid is used in the ProxyAuthz instead of the authorized
authzid.
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2 PROXYAUTHZ
dn="cn=service,ou=system,dc=internal,dc=machines"
Feb 28 22:02:38 ldap-master-az2 slapd[1915]: conn=26858 op=2
[IP=10.243.72.199 USERNAME=cn=enduser,ou=People,dc=example,dc=net] MOD
dn="uid=sys.cp.test,ou=People,dc=internal,dc=machines"
Am I misunderstanding how this is supposed to work, am I hitting a
certain limitation or maybe a bug? Let me know if you need any more
details!
This looks to me like it:
a) Logs what the proxied identity is (PROXYAUTHZ
dn="cn=service,ou=system,dc=internal,dc=machine")
b) Logs what the actual identity making the changes is
(USERNAME=cn=enduser,ou=People,dc=example,dc=net) and what IP address it
came from (IP=10.243.72.199) so that if questions arise about who made a
change, those questions can be answered from the logs.
I.e., I see both bits of information provided in the connection operation.
What makes you think you are hitting a limitation or a bug?
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<
http://www.symas.com>