Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Joe Martin
OpenLDAP
Commits
ac3eea1f
Commit
ac3eea1f
authored
Apr 14, 2008
by
Quanah Gibson-Mount
Browse files
ITS#5406
parent
691b4dfa
Changes
2
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
ac3eea1f
...
...
@@ -24,6 +24,7 @@ OpenLDAP 2.4.9 Engineering
Fixed slapo-syncprov double-free (ITS#5445)
Documentation
Fixed slapd.access(5) authz-regexp documented behavior (ITS#5400)
Fixed slapd.meta(5) idassert-* documentation (ITS#5406)
OpenLDAP 2.4.8 Release (2008/02/19)
Fixed ldapmodify verbose logging (ITS#5247)
...
...
doc/man/man5/slapd-meta.5
View file @
ac3eea1f
...
...
@@ -285,6 +285,183 @@ The optional number marks target <target> as the default one, starting
from 1.
Target <target> must be defined.
.TP
.B idassert-authzFrom <authz-regexp>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
The string
.B <authz-regexp>
follows the rules defined for the
.I authzFrom
attribute.
See
.BR slapd.conf (5),
section related to
.BR authz-policy ,
for details on the syntax of this field.
.HP
.hy 0
.B idassert-bind
.B bindmethod=none|simple|sasl [binddn=<simple DN>] [credentials=<simple password>]
.B [saslmech=<SASL mech>] [secprops=<properties>] [realm=<realm>]
.B [authcId=<authentication ID>] [authzId=<authorization ID>]
.B [authz={native|proxyauthz}] [mode=<mode>] [flags=<flags>]
.B [tls_cert=<file>]
.B [tls_key=<file>]
.B [tls_cacert=<file>]
.B [tls_cacertdir=<path>]
.B [tls_reqcert=never|allow|try|demand]
.B [tls_ciphersuite=<ciphers>]
.B [tls_crlcheck=none|peer|all]
.RS
Allows to define the parameters of the authentication method that is
internally used by the proxy to authorize connections that are
authenticated by other databases.
The identity defined by this directive, according to the properties
associated to the authentication method, is supposed to have auth access
on the target server to attributes used on the proxy for authentication
and authorization, and to be allowed to authorize the users.
This requires to have
.B proxyAuthz
privileges on a wide set of DNs, e.g.
.BR authzTo=dn.subtree:"" ,
and the remote server to have
.B authz-policy
set to
.B to
or
.BR both .
See
.BR slapd.conf (5)
for details on these statements and for remarks and drawbacks about
their usage.
The supported bindmethods are
\fBnone|simple|sasl\fP
where
.B none
is the default, i.e. no \fIidentity assertion\fP is performed.
The authz parameter is used to instruct the SASL bind to exploit
.B native
SASL authorization, if available; since connections are cached,
this should only be used when authorizing with a fixed identity
(e.g. by means of the
.B authzDN
or
.B authzID
parameters).
Otherwise, the default
.B proxyauthz
is used, i.e. the proxyAuthz control (Proxied Authorization, RFC 4370)
is added to all operations.
The supported modes are:
\fB<mode> := {legacy|anonymous|none|self}\fP
If
.B <mode>
is not present, and
.B authzId
is given, the proxy always authorizes that identity.
.B <authorization ID>
can be
\fBu:<user>\fP
\fB[dn:]<DN>\fP
The former is supposed to be expanded by the remote server according
to the authz rules; see
.BR slapd.conf (5)
for details.
In the latter case, whether or not the
.B dn:
prefix is present, the string must pass DN validation and normalization.
The default mode is
.BR legacy ,
which implies that the proxy will either perform a simple bind as the
.I authcDN
or a SASL bind as the
.I authcID
and assert the client's identity when it is not anonymous.
Direct binds are always proxied.
The other modes imply that the proxy will always either perform a simple bind
as the
.IR authcDN
or a SASL bind as the
.IR authcID ,
unless restricted by
.BR idassert-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
Other identity assertion modes are
.BR anonymous
and
.BR self ,
which respectively mean that the
.I empty
or the
.IR client 's
identity
will be asserted;
.BR none ,
which means that no proxyAuthz control will be used, so the
.I authcDN
or the
.I authcID
identity will be asserted.
For all modes that require the use of the
.I proxyAuthz
control, on the remote server the proxy identity must have appropriate
.I authzTo
permissions, or the asserted identities must have appropriate
.I authzFrom
permissions. Note, however, that the ID assertion feature is mostly
useful when the asserted identities do not exist on the remote server.
Flags can be
\fBoverride,[non-]prescriptive\fP
When the
.B override
flag is used, identity assertion takes place even when the database
is authorizing for the identity of the client, i.e. after binding
with the provided identity, and thus authenticating it, the proxy
performs the identity assertion using the configured identity and
authentication method.
When the
.B prescriptive
flag is used (the default), operations fail with
\fIinappropriateAuthentication\fP
for those identities whose assertion is not allowed by the
.B idassert-authzFrom
patterns.
If the
.B non-prescriptive
flag is used, operations are performed anonymously for those identities
whose assertion is not allowed by the
.B idassert-authzFrom
patterns.
The TLS settings default to the same as the main slapd TLS settings,
except for
.B tls_reqcert
which defaults to "demand".
The identity associated to this directive is also used for privileged
operations whenever \fBidassert-bind\fP is defined and \fBacl-bind\fP
is not. See \fBacl-bind\fP for details.
.RE
.TP
.B idle-timeout <time>
This directive causes a cached connection to be dropped an recreated
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment