Re: Externalize access to a partial replica

["Dieter Kluenter" <dieter@dkluenter.de>]

Jehan PROCACCIA <Jehan.Procaccia@it-sudparis.eu> writes:

> hello
>
> I need to give acces to a partial replica of my ldap directory
> this replica only contain "white pages" attributes -> no userpassword !
>
> syncrepl        rid=001
> filter="(|(objectClass=organizationalPerson)
> attrs="uid,cn,sn,ou,departmentNumber,GivenName
>
> I created a bind user in the master ldap to give external access to
> that replica
> but as I don't replicate userpassword, then that bind user doesn't
> have usperpasswd in the replicate and then cannot authenticate on it
> (egg and chiken pb !)
>
> then how can I have that partial replica whitout userpassword attributes,
> but still allow someone (at least one dn, but not the rootdn in
> slapd.conf that I want to keep secret)
> to bind to that replica !?
>
> I tested a binddn out of ldap database with SASL (digest-md5), but
> apparently (ldapsearch -Y) it requires  a userpassword attribute for
> that binddn in the ldap database :-(
> I though that having a password only in /etc/salsdb2 would be enough
> ... to bad ;-(
> I also tested with a translucent in front of my replica, in that
> translucent I added the userpassword for the binddn so that he can
> bind , but the search addresed to that translucent that finally goes
> to my partial replica ends up in an anonymous bind,
> not as that binddn I expected :-( (so ACL cannot be match )
>
> Please let me know how  to  let a user+password (binddn having
> correponding ACL) search my replica on a replica not containing
> userpassword attributes (or a least one for that binddn) . would it be
> possible to replicate userpassowrd attribute from the master only for
> that binddn ?

Have you thought about a X.500 certificate, startTLS and sasl external
mechanism?

-Dieter
-- 
Dieter Klünter | Systemberatung
http://www.dpunkt.de/buecher/2104.html
sip: +49.180.1555.7770535
GPG Key ID:8EF7B6C6
53°08'09,95"N
10°08'02,42"E