[Date Prev][Date Next] [Chronological] [Thread] [Top]
Re: How to hide namingContext in rootDSE ?

To: openldap-software@openldap.org
Subject: Re: How to hide namingContext in rootDSE ?
From: "Thomas Chemineau" <tchemineau@linagora.com>
Date: Fri, 19 Dec 2008 11:04:24 +0100 (CET)
Importance: Normal
User-agent: SquirrelMail/1.4.11
Hello,

First, thank you for your help :)

>> 1/ Is there a better way to do this, without rewrite V2 values ?
>
> Well, you can use multiple instances of back-relay instead of back-ldap,
> saving transliterations of requests and responses.  I don't see other
> chances of rewriting the value of uniqueMember attributes.

Hum. I tried to apply your suggests. But with OpenLDAP 2.3.43 (2.4.* not
yet), I have a well formed "segmentation fault" ! So, for the moment, I
have only one back-relay instead of two.

> Probably, a solution here (for a future enhancement) would be to allow
> specifying when rewriting should take place (before or after mapping?),
> or simply be as liberal as possible, allowing rewriting when either
> before or after an attribute will have DN syntax.  You can file an ITS
> for this.

OK, a good idea.

>> 2/ How can I hide my transitional LDAP suffix in the rootDSE ?
>
> Hiding values in namingContexts can be done using ACLs.  What makes it
> tricky is that namingContexts, by (poor?) design has no EQUALITY rule,
> so if you write a rule like
>
> access to dn.exact="" attrs=namingContext val="o=example transitional"
> 	by * none
>
> will not work.  You need to specify what equality rule to use, something
> like
>
> access to dn.exact=""
> 		attrs=namingContext
> 		val/distinguishedNameMatch="o=example transitional"
> 	by * none

OK. I also tried to apply this ACL. With some corrections, I have matching
ACL in my OpenLDAP log. But it does not work...

I have only these ACL defined :

8<--------
access to dn.exact=""
  attrs=namingContexts val/distinguishedNameMatch="o=example transitional"
  by * none
access to dn.base="" by * read
8<--------

The first should match when namingContexts are listed. But it doesn't, I
have read access on all values. I have inverted all ACLs, tried to apply
different scopes or more restrictive rights with some break/continue
controls, etc.

8<--------
Backend ACL: access to dn.base=""
 attrs=namingContexts
 val.base="o=example transitional"
	by * none

Backend ACL: access to dn.base=""
	by * read

Backend ACL: access to dn.base="cn=subschema"
	by * read
[...]
=> access_allowed: search access to "" "objectClass" requested
=> dn: [1]
=> acl_get: [1] matched
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: read access to "" "entry" requested
=> dn: [1]
=> acl_get: [1] matched
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr entry
=> acl_mask: access to entry "", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [1]
=> acl_get: [1] matched
acl_get: val o=example transitional
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (read(=rscxd))
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (read(=rscxd))
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
8<--------

Any idea ?

Cheers,
Thomas.

-- 
Thomas Chemineau
Groupe LINAGORA - http://www.linagora.com
Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29
Prev by Date: Re: OpenLDAP and DNS SRV records
Next by Date: Re: How to hide namingContext in rootDSE ?
Index(es):
- Chronological
- Thread