[Date Prev][Date Next] [Chronological] [Thread] [Top]

database ldap and acl-bind

To: openldap-technical@openldap.org
Subject: database ldap and acl-bind
From: Nerijus Kislauskas <nerijus.kislauskas@ktu.lt>
Date: Thu, 19 Jul 2012 12:39:10 +0300
User-agent: Mozilla/5.0 (X11; Linux i686; rv:8.0) Gecko/20120216 Icedove/8.0

Hi everyone,

As I understand from documentation, acl-bind is a technique to fetch
acls from backend ldap to ldap proxy and apply them in there. Is this
correct?
I can't find any working example with shown logs to prove my idea nor i
can get my configs to work. Maybe there is something i don't know?
My configs:

/etc/ldap/slapd.d/cn=config/olcDatabase={2}ldap.ldif:
dn: olcDatabase={2}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
structuralObjectClass: olcLDAPConfig
entryUUID: da219748-6515-1031-9486-41b4d47f5b36
olcSuffix: dc=ktu,dc=lt
olcDbURI: ldap://83.171.20.45
olcDbIdleTimeout: 60
olcDbACLBind: bindmethod=simple binddn="cn=test,dc=ktu,dc=lt"
credentials="test"

Logs:
Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: access to entry
"dc=ktu,dc=lt", attr "entry" requested
Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: to all values by
"cn=admin,dc=ktu,dc=lt", (=0)
Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: *
Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] applying +0 (break)
Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] mask: =0
Jul 19 12:17:36 bijote slapd[1435]: => dn: [2]
Jul 19 12:17:36 bijote slapd[1435]: => dn: [3] cn=subschema
Jul 19 12:17:36 bijote slapd[1435]: <= acl_get: done.
Jul 19 12:17:36 bijote slapd[1435]: => slap_access_allowed: no more rules

Clearly visible, that there is no ACL configs in database definition,
and ACL's comes from frontend database (defaults):

/etc/ldap/slapd.d/cn=config/olcDatabase\={2}ldap.ldif:
...
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
 ,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
....

As I understand, there should be ACL in ldap proxy (custom or defaults,
tied to backends ACL's or not). Please help me to clear things out.
-- 
Sincerely,
Nerijus Kislauskas
KTU ITPI, Litnet valdymo centras

Prev by Date: Re: delta-syncrepl stopped receiving changes
Next by Date: import ldif does not work
Index(es):
- Chronological
- Thread