.RS
.RS
.TP
-.B <mode>={legacy|anonymous|self|none|<id>}
+.B <mode>={legacy|anonymous|none|<id>|self}
.RE
.RS
.B <id>={u:<ID>|[dn:]<DN>}
The other modes imply that the proxy will always bind as
.IR idassert-authcdn ,
unless restricted by
-.BR idassert-authz
+.BR idassert-authzFrom
rules (see below), in which case the operation will fail;
eventually, it will assert some other identity according to
.BR <mode> .
useful when the asserted identities do not exist on the remote server.
.RE
.TP
-.B idassert-authz <authz>
+.B idassert-authz
From <authz>
if defined, selects what
.I local
identities are authorized to exploit the identity assertion feature.
The
.B all
flag requires both authorizations to succeed.
-The rules are simply regular expressions specifying which DNs are allowed
+.LP
+.RS
+The rules are mechanisms to specify which identities are allowed
to perform proxy authorization.
The
.I authzFrom
.B identity
or a set of identities; it can take three forms:
.RS
-.RS
.TP
.B ldap:///<base>??[<scope>]?<filter>
.RE
.I <pattern>
to be compiled according to
.BR regex (7).
+A pattern of
+.I *
+means any non-anonymous DN.
The third form is a SASL
.BR id ,
with the optional fields
.I authzTo
can impact security, users are strongly encouraged
to explicitly set the type of identity specification that is being used.
+A subset of these rules can be used as third arg in the
+.B authz-regexp
+statement (see below); significantly, the
+.I URI
+and the
+.I dn.exact:<dn>
+forms.
.RE
.TP
.B authz-regexp <match> <replace>
projects / openldap / commitdiff