[Date Prev][Date Next]
Re: (ITS#5601) set-acl failure under back-ldap+rwm
> email@example.com wrote:
> The reason is quite simple: set expansion uses the rewritten DN as the
> user's name, so a local lookup of the entry "cn=user,dc=remote" fails
> since no local database serves the naming context "dc=remote". The root
> cause is that back-ldap binds as the rewritten DN, which is later stored
> as the real identity. I think this was done on purpose, and is to some
> extent appropriate, but makes the type of ACL you want to design
> basically impossible. A solution would be to make slapo-rwm intercept
> successful binds (in the cleanup callback) and rewrite back the bound DN
> into the virtual naming context. I'll see if it is possible, but then
> we need to decide whether this is the desired behavior. Otherwise, we'd
> need to have two o_ndn fields: the real DN and the real-real DN.
To further elaborate, even if the virtual DN is set instead of the real
one in c_ndn, the operation fails because ACL checking passes through
bi_entry_get_rw(), which is not provided by slapo-rwm, and can't be
provided according to the current design, since it does not allow to
massage the arguments. As a quick'n'dirty fix, what you can do is make
the proxy database serve both naming contexts, namely
rwm-suffixmassage "dc=remote,dc=local" "dc=remote"
This allows the proxy database to be found by select_backend() when
searching the right backend using the real naming context. At the same
time, internal searches occur as expected.
This is a hack; the real fix requires to redesign the API of
bi_entry_get_rw(), to let it modify the request arguments while letting
the real function do the hard job.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172