[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acls for mirrormode user and its clear text passwords

To: openldap-technical@openldap.org
Subject: Re: acls for mirrormode user and its clear text passwords
From: Tyler Gates <tgates81@gmail.com>
Date: Sun, 22 Mar 2009 07:50:47 -0400

I figured this out. The problem was I didn't have the entry 'anonymous
auth' in the clause.

>I have a multimaster system running behind a back_ldap proxy and all
>is?
>running fine except for the fact that the mirrormode user specified in
>syncrepl section can only specify its password as cleartext or use sasl
>authentication. I'm not so worried about the clear text password being
>seen because all connections are via tls. But, if anyone binds,
>including anonymous users, that password is visible to them which
>scares me because the mirrormode user has write access to the entire
>tree. My first course of action was to set acls as write to mirrormode
>user and none to everyone else but no matter what I do, replication
>between the two servers breaks because it seems as soon as an acl is
>defined, mirrormode user no longer has permissions. Am I fundamentally
>missing something here with the visible clear text password? Or am I
>just not doing the acls right? Below is an example of what I surely 
>thought would work at a (very minimal level).
>
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
>     by anonymous none
>
>doesn't work. Even:
>
>access to dn.base="cn=Mirrormode,dc=example,dc=com" attrs=userPassword
>     by self write
>
>gives me no love either. If you need the entire acl I can provide it
>but I'm guessing I missing something much more obvious.
>
>Thanks,
>    Tyler

Prev by Date: Re: OpenLDAP Syncrepl issue
Next by Date: User root from client can be all another users
Index(es):
- Chronological
- Thread