[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain overlay and ACLs

To: "John Kane" <john.kane@prodeasystems.com>
Subject: Re: Chain overlay and ACLs
From: masarati@aero.polimi.it
Date: Thu, 11 Jun 2009 22:10:42 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <56DA5079467D1C48B857C6FE59D5D4FC02B4C8AD@prodeaserve.prodea.local>
References: <56DA5079467D1C48B857C6FE59D5D4FC02B4C8AD@prodeaserve.prodea.local>
User-agent: SquirrelMail/1.4.9a

> Noob question:
>
> I've set up chaining from my slave LDAP to the master.  It seemed
> everything was working fine, until I realize that ANY user can now make
> modifications in the LDAP DB if it is done from the slave.
>
> My ALCs allow full write access to the chain binddn.  If I don't set
> this, chaining fails.  But with it set, any valid, authenticated user
> can make DB changes (full write access).
>
> I am confused as to why this is happening.

Well, of course you're supposed to configure slapo-chain so that it uses
the binddn only to authorize as the original request identity.  Within the
wealth of info you provided you did not show how the chain overlay is
configured (unless I missed it), but in any case you should follow
indications here
<http://www.openldap.org/doc/admin24/overlays.html#Chaining>
(specifically, see the "chain-idassert-bind" stanza).

p.

Follow-Ups:
- RE: Chain overlay and ACLs
  - From: "John Kane" <john.kane@prodeasystems.com>

References:
- Chain overlay and ACLs
  - From: "John Kane" <john.kane@prodeasystems.com>

Prev by Date: Chain overlay and ACLs
Next by Date: RE: Chain overlay and ACLs
Index(es):
- Chronological
- Thread