From 46b27edc3bd3ef604ad6846a1e1d08f1ff065ec8 Mon Sep 17 00:00:00 2001 From: Pierangelo Masarati Date: Sat, 15 May 2004 10:10:09 +0000 Subject: [PATCH] more on idassert --- doc/man/man5/slapd-ldap.5 | 44 ++++++++++++++++++++++++++++++++++++--- 1 file changed, 41 insertions(+), 3 deletions(-) diff --git a/doc/man/man5/slapd-ldap.5 b/doc/man/man5/slapd-ldap.5 index 4f232b977f..afff3fe073 100644 --- a/doc/man/man5/slapd-ldap.5 +++ b/doc/man/man5/slapd-ldap.5 @@ -22,6 +22,21 @@ same connection. This connection pooling strategy can enhance the proxy's efficiency by reducing the overhead of repeatedly making/breaking multiple connections. +The ldap database can also act as an information service, i.e. the identity +of locally authenticated clients is asserted to the remote server, possibly +in some modified form. +For this purpose, the proxy binds to the remote server with some +administrative identity, and, if required, authorizes the asserted identity. +See the +.IR idassert- * +rules below. +The administrative identity of the proxy, on the remote server, must be +allowed to authorize by means of appropriate +.B authzTo +rules; see +.BR slapd.conf (5) +for details. + .SH CONFIGURATION These .B slapd.conf @@ -72,7 +87,7 @@ check permissions. .B bindpw Password used with the bind DN above. .TP -.B proxyauthzdn "" +.B idassert-authcdn "" DN which is used to propagate the client's identity to the target by means of the proxyAuthz control when the client does not belong to the DIT fragment that is being proxyied by back-ldap. @@ -83,7 +98,7 @@ This requires the entry with identity on the remote server to have .B proxyAuthz privileges on a wide set of DNs, e.g. -.BR authzTo=dn.regex:.* , +.BR authzTo=dn.subtree:"" , and the remote server to have .B authz-policy set to @@ -95,7 +110,7 @@ See for details on these statements and for remarks and drawbacks about their usage. .TP -.B proxyauthzpw +.B idassert-passwd Password used with the proxy authzDN above. .TP .B idassert-mode @@ -158,6 +173,7 @@ permissions, or the asserted identities must have appropriate .I authzFrom permissions. Note, however, that the ID assertion feature is mostly useful when the asserted identities do not exist on the remote server. +.RE .TP .B idassert-authz if defined, selects what @@ -174,6 +190,28 @@ section related to .BR authz-policy , for details on the supported syntaxes. .TP +.B idassert-method [] +where valid method values are +.RS +.TP +.B ={none|simple|sasl} +.RE +.RS +.B =[mech=] [realm=] [authcid=] [cred=] +.RE +If method is +.IR sasl , +extra parameters can be given a described above. +The default is +.BR simple ; +.B none +inhibits proxy authorization; +.B sasl +uses a SASL bind with the above parameters; if required, +.I authorization +is performed by means of native SASL mechanism, and no proxyAuthz +is used for subsequent operations. +.TP .B proxy-whoami Turns on proxying of the WhoAmI extended operation. If this option is given, back-ldap will replace slapd's original WhoAmI routine with its -- 2.39.5