Antw: [EXT] Re: lloadd Proxied Authorization Denied (123)

2022-12-16 Thread Ulrich Windl
>>> Stefan Kania schrieb am 15.12.2022 um 18:55 in Nachricht <4c04e864-2b72-c9d2-96b9-036c11f58...@kania-online.de>: > > Am 15.12.22 um 17:56 schrieb Quanah Gibson-Mount: >> >> >> --On Thursday, December 15, 2022 3:02 PM +0100 Stefan Kania >> wrote: >> >>> -- >>> dn: cn=config >

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Stefan Kania
Am 15.12.22 um 17:56 schrieb Quanah Gibson-Mount: --On Thursday, December 15, 2022 3:02 PM +0100 Stefan Kania wrote: -- dn: cn=config changetype: modify replace: olcAuthzpolicy olcAuthzpolicy: any -- Since you only need it to be possible for the lloadd user to a

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Quanah Gibson-Mount
--On Thursday, December 15, 2022 3:02 PM +0100 Stefan Kania wrote: -- dn: cn=config changetype: modify replace: olcAuthzpolicy olcAuthzpolicy: any -- Since you only need it to be possible for the lloadd user to assume other identities, I'd use a policy of 'to' in

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Stefan Kania
Am 15.12.22 um 16:38 schrieb Ondřej Kuzník: Should be authzTo if you're adding it to the lloadd's identity, are you sure uid=lloadd,ou=users,dc=example,dc=net has 'auth' (+x) access to dc=example,dc=net and the uid attribute on the subtree? Thank you for the push in right direction I added an

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Ondřej Kuzník
On Thu, Dec 15, 2022 at 03:02:00PM +0100, Stefan Kania wrote: > -- > dn: cn=config > changetype: modify > replace: olcAuthzpolicy > olcAuthzpolicy: any > -- > Or do i have to set it inside the database for my object? This is a global setting so that's the correct place. >

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Stefan Kania
Am 15.12.22 um 14:24 schrieb Ondřej Kuzník: It's not possible inside lloadd but when lloadd uses an identity A and a client binds with identity B, then sends an operation to it, what the backend receives is an operation with proxyauthz carrying B over a connection bound to A. If authz-policy sa

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Ondřej Kuzník
On Thu, Dec 15, 2022 at 01:43:41PM +0100, Stefan Kania wrote: > Am 15.12.22 um 13:10 schrieb Ondřej Kuzník: >> Hi Stefan, >> the backends are refusing the lloadd's identity (in your case >> uid=lloadd,ou=users,dc=example,dc=net) the permission to act as a proxy >> for the users in question. You sho

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Stefan Kania
Am 15.12.22 um 13:10 schrieb Ondřej Kuzník: On Wed, Dec 14, 2022 at 09:20:14PM +0100, Stefan Kania wrote: I now took the example configuration and changed it to my settings: - feature proxyauthz bindconf bindmethod=simple binddn=uid=lloadd,ou=users,dc=example,dc=

Re: lloadd Proxied Authorization Denied (123)

2022-12-15 Thread Ondřej Kuzník
On Wed, Dec 14, 2022 at 09:20:14PM +0100, Stefan Kania wrote: > I now took the example configuration and changed it to my settings: > > - > feature proxyauthz > bindconf bindmethod=simple > binddn=uid=lloadd,ou=users,dc=example,dc=net > - > > The b

lloadd Proxied Authorization Denied (123)

2022-12-14 Thread Stefan Kania
I now took the example configuration and changed it to my settings: - TLSCertificateFile /opt/symas/etc/openldap/example-net-cert.pem TLSCertificateKeyFile /opt/symas/etc/openldap/example-net-key.pem TLSCACertificateFile /opt/symas/etc/openldap/cacert.pem pidfile /var/