[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd-ldap and authentication
Daniel Tiefnig wrote:
> Hej,
>
> It's been a long time since I used OpenLDAP and read the lists, (like 7
> years ago) so first: hello again! :-)
>
> I'm using "OpenLDAP: slapd 2.3.30" from debian/etch, trying to access
> two database shadows via a slapd-ldap proxy. The shadow contains these
> two databases holding NSS and addressbook entries: (passwords changed)
>
> #######################################################################
> # The NSS databases contains NSS accounts and groups.
> database bdb
> suffix "dc=nss,dc=sipwise,dc=com"
> directory "/var/lib/ldap/nss"
> lastmod on
> rootdn "cn=root,dc=nss,dc=sipwise,dc=com"
> rootpw s1kkr1t
> dbconfig set_cachesize 0 20971520 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
> index objectClass,cn,uid,uidNumber,gidNumber eq
> syncrepl rid=002
> provider=ldap://db1
> bindmethod=simple
> binddn="cn=root,dc=nss,dc=sipwise,dc=com"
> credentials=s1kkr1t
> searchbase="dc=nss,dc=sipwise,dc=com"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
>
> #######################################################################
> # The addressbook database contains contacts for e-mail and phone.
> database bdb
> suffix "dc=addressbook,dc=sipwise,dc=com"
> directory "/var/lib/ldap/addressbook"
> lastmod on
> rootdn "cn=root,dc=addressbook,dc=sipwise,dc=com"
> rootpw s1kkr1t
> dbconfig set_cachesize 0 20971520 0
> dbconfig set_lk_max_objects 1500
> dbconfig set_lk_max_locks 1500
> dbconfig set_lk_max_lockers 1500
> index objectClass,entryUUID eq
> index cn,sn,mail,givenName sub
> syncrepl rid=003
> provider=ldap://db1
> bindmethod=simple
> binddn="cn=root,dc=addressbook,dc=sipwise,dc=com"
> credentials=s1kkr1t
> searchbase="dc=addressbook,dc=sipwise,dc=com"
> schemachecking=on
> type=refreshAndPersist
> retry="60 +"
>
>
> The simple ACL configuration is:
>
> #######################################################################
> access to attrs=userPassword
> dn.subtree="ou=people,dc=nss,dc=sipwise,dc=com"
> by anonymous auth
> by * none
> access to dn.subtree="dc=nss,dc=sipwise,dc=com"
> by users read
> by * none
> access to dn.subtree="dc=addressbook,dc=sipwise,dc=com"
> by users write
> by * none
>
>
> Trying to access the two databases using ldapsearch (directly towards
> the shadow, not the local slapd) on the proxy machine works just fine.
> The slapd.conf on the proxy contains two "ldap" databases which forward
> requests to the shadow databases:
>
> #######################################################################
> # The nss database contains NSS accounts.
> database ldap
> suffix "dc=nss,dc=sipwise,dc=com"
> uri "ldap://db/";
>
> #######################################################################
> # The addressbook database contains contacts for e-mail and phone.
> database ldap
> suffix "dc=addressbook,dc=sipwise,dc=com"
> uri "ldap://db/";
>
>
> Now, trying to access the nss database using ldapsearch towards the
> proxy from a client works fine too, but I can't get any entries from the
> addressbook.
>
> Commandlines are:
> ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \
> -W -b dc=nss,dc=sipwise,dc=com cn=\*
> ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \
> -W -b dc=addressbook,dc=sipwise,dc=com cn=\*
>
> When running slapd with "-d 128" on the shadow, after the authentication
> stuff, I can see the following for the nss database:
> => acl_mask: access to entry "dc=nss,dc=sipwise,dc=com", attr "cn" \
> requested
> => acl_mask: to all values by \
> "uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com", (=0)
>
> And for the addressbook database I get:
> => acl_mask: access to entry "dc=addressbook,dc=sipwise,dc=com", \
> attr "cn" requested
> => acl_mask: to all values by "", (=0)
>
> I.e. it looks like access to the addressbook database is done
> anonymously, even though authentication is performed right before. When
> doing the ldapsearches directly to the shadow, this does not happen.
>
> Am I missing something in the proxy configuration? Why does searching
> the nss database work? Because my bind user is within the same database?
> Sounds a little bit weird to me.
Yes - when you bind to the NSS database, your bind is proxied, and a
dedicated connection is used for subsequent searches on the NSS database.
However, when you bind to the NSS database, then search on the
addressbook database, you don't appear to have performed a bind with an
identity on the addressbook database, so slapd-ldap just assumes the
anonymous identity.
Basically, the server has no way of knowing that it can trust your bind
from the NSS database. The idassert-bind configuration may be of help to
you - check out the man page and the detailed discussion of this in the
FAQ (note the first scenario which is exactly what you want to do):
http://www.openldap.org/faq/data/cache/532.html
Regards,
Jonathan Clarke
--
LinID - Open Source Identity Management
---------------------------------------------------------------
Linagora
27 rue de Berri, 75008 Paris
Tel: 01 58 18 68 28 / 06 99 60 03 10
---------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org/
---------------------------------------------------------------