Am 15.12.22 um 14:24 schrieb Ondřej Kuzník:
It's not possible inside lloadd but when lloadd uses an identity A and a client binds with identity B, then sends an operation to it, what the backend receives is an operation with proxyauthz carrying B over a connection bound to A. If authz-policy says that's allowed, normal processing is done with B's identity (you can use the prefix "real" to check A's identity in ACLs if needed, see man slapd.access).
Ok, that's the part I understand :-).My user uid=lloadd opend the connections to my backend-server. I can see that inside the logs. It's clear My uid=repl-user sends a request to my loadbalancer(LB). The LB sends the request over one of the opend connections as uid=repl-user, but the backend-server can't authenticate uid=repl-user that's where the authz-policy should work. Also clear. What is still not clear: How do I configure it? Maybe it's because I'm not a native English speeker, its sometimes hard for me to understand. I understand that the default for authz-policy is "none". The manpage said activate it if you need it. So I used the following ldif:
--------------
dn: cn=config
changetype: modify
replace: olcAuthzpolicy
olcAuthzpolicy: any
--------------
Or do i have to set it inside the database for my object?
Then I changed the uid=lloadd to:
-----------------------
dn: uid=lloadd,ou=users,dc=example,dc=net
objectClass: account
objectClass: simpleSecurityObject
objectClass: top
uid: lloadd
userPassword: {ARGON2}$argon2i$v=19$m=4096,t=3,p=1$MTIz..
authzFrom: ldap:///dc=example,dc=net??sub?(uid=*)
-----------------------
But still not working. I also try it with "authzTo", but same result. As
I read in man slapd.conf. At the beginning I just whant to get it
working, then comes the security part. So I allow all uids.
smime.p7s
Description: S/MIME Cryptographic Signature
