Home / server / Questions / 232856
Accepted
Brad Mace
Asked: 2011-02-09 10:44:37 +0800 CST

Granting access to authzTo attribute

  • 772

I'm trying to grant certain accounts auth access to their authzTo attribute in order to allow proxied authorization.

I tried adding this ldif:

dn: olcDatabase={-1}frontend,cn=config
changetype: modify
add: olcAccess
olcAccess: {1}to authzTo by dn.children="ou=Special Accounts,dc=example,dc=com" auth
-

using the command ldapadd -f perm.ldif -D "cn=admin,cn=config" -W

but got this error:

modifying entry "olcDatabase={-1}frontend,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
    additional info: <olcAccess> handler exited with 1

using verbose output and turning up the debug level haven't given me any more clues. Can anyone see what I'm doing wrong?

openldap proxied-authorization

2 Answers

  1. Best Answer

    Realized what I was doing dumb after working on some other permissions. It should be attrs=authzTo, not just authzTo by itself. And what I really wanted was 

    to dn.children="ou=Special Accounts,dc=example,dc=com" attrs=authzTo by self auth
    • 0

  2. EDIT: OP explicitly asked about 'auth', not 'write' access, so this answer is not very relevant.

    I realize that I'm 8 years late for this question, but I think that it needs to be noted that it's a bad idea to permit write access to own authzTo attribute.

    Source rules are extremely powerful. If ordinary users have access to write the authzTo attribute in their own entries, then they can write rules that would allow them to authorize as anyone else. As such, when using source rules, the authzTo attribute should be protected with an ACL that only allows privileged users to set its values.

    (quote from https://www.linuxtopia.org/online_books/network_administration_guides/ldap_administration/sasl_SASL_Proxy_Authorization.html)

    • -1