[Date Prev][Date Next] [Chronological] [Thread] [Top]

Allowing read only for automount maps

I would like to configure my slapd.conf to allow read only for automount maps but maintain my existing permissions for user accounts (in particular authenticated access to the userPassword field).

Here is the log entry I get when attempting to get autfs on Redhat 9 to get its auto.home from the LDAP server.

Sep 17 15:23:11 llama slapd[27876]: conn=4 op=2 SRCH attr=ou automountInformation
Sep 17 15:23:11 llama slapd[27876]: conn=4 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Sep 17 15:23:11 llama slapd[27876]: conn=4 op=3 UNBIND
Sep 17 15:23:11 llama slapd[27876]: conn=4 fd=13 closed
Sep 17 15:23:11 llama slapd[27875]: conn=5 fd=13 ACCEPT from IP=132.239.27.243:33321 (IP=0.0.0.0:389)
Sep 17 15:23:11 llama slapd[27876]: conn=5 op=0 BIND dn="nisMapName=auto.home,dc=physics,dc=ucsd,dc=edu" method=128
Sep 17 15:23:11 llama slapd[27876]: conn=5 op=0 RESULT tag=97 err=53 text=unauthenticated bind (DN with no password) disallowed

Here is my current ACL, I tried some things with regards to the NIS map but I am groping around a bit here.

# This is a failed attempt at opening this up for read....

# Allow reading of the NIS automount info Note: This does reveal usernames :(
access to dn.base="nisMapName=auto.home,dc=physics,dc=ucsd,dc=edu"
by * read

# Below here works great...

# Restrict userPassword to be used for auth only, but allow users to modify their passwords
access to attrs=userPassword
by self write
by * auth

# Default simple acl
access to *
       by * read

Thanks for any help

Terrence








Gary LaVoy wrote:

So I am sure that I must have some configuration thing set up wrong... but
whenever I do a single update to my ldap master (v2.1.22) I get 3 updates for
that same dn on my replica server.... please just get it over with quick and
tell me I am dumb s**t and set me straight on what config changes I need to
make.

In addition, I also appear to be able to update my replica directly even though
I have an updateref defined... not sure why I can do that either!

thanks for the flogging in advance ;-)

Gary
glavoy@apple.com

------------------------------------

Here is a snippit of the masters log:

Aug 28 17:31:13 albacore slapd[10007]: conn=4989 op=0 BIND
dn="cn=Manager,o=Apple Computer" mech=simple ssf=0 Aug 28 17:31:13 albacore slapd[10007]: conn=4989 op=0 RESULT tag=97 err=0 text= Aug 28 17:31:13 albacore slapd[10007]: conn=4989 op=1 ADD
dn="appleDSID=774135,ou=groupmembers,ou=groups,o=apple computer" Aug 28 17:31:13 albacore slapd[10007]: conn=4989 op=1 RESULT tag=105 err=0 text=



here is the replicas log:

Aug 28 17:31:14 barbet slapd[9179]: conn=4897 op=3 ADD dn="appleDSID=774135,ou=g
roupmembers,ou=groups,o=apple computer" Aug 28 17:31:14 barbet slapd[9179]: conn=4899 op=3 ADD dn="appleDSID=774135,ou=g
roupmembers,ou=groups,o=apple computer" Aug 28 17:31:14 barbet slapd[9179]: conn=4898 op=3 ADD dn="appleDSID=774135,ou=g
roupmembers,ou=groups,o=apple computer" Aug 28 17:31:15 barbet slapd[9179]: conn=4897 op=3 RESULT tag=105 err=0 text= Aug 28 17:31:15 barbet slapd[9179]: conn=4899 op=3 RESULT tag=105 err=68 text= Aug 28 17:31:15 barbet slapd[9179]: conn=4898 op=3 RESULT tag=105 err=68 text= 


the db portion of my slapd.conf for the master looks like (I have 3 separate dbs
on both systems):

replogfile /ngs/app/openldap/apple_openldap/var/openldap-slurp/replogfile.log


database        ldbm
suffix          "ou=Groups, o=Apple Computer"
subordinate     "o=Apple Computer"
dbcachesize     500000000
cachesize       500000000
rootdn          "cn=Manager,o=Apple Computer"
replica         host=etsx4.apple.com:389
               binddn="cn=Manager,o=Apple Computer"
               bindmethod=simple
               credentials=secret
directory       /ngs/app/openldap/apple_openldap/var/openldap-data/db/groups


database        ldbm
suffix          "ou=Externals, o=Apple Computer"
subordinate     "o=Apple Computer"
dbcachesize     500000000
cachesize       500000000
rootdn          "cn=Manager,o=Apple Computer"
replica         host=etsx4.apple.com:389
               binddn="cn=Manager,o=Apple Computer"
               bindmethod=simple
               credentials=secret
directory       /ngs/app/openldap/apple_openldap/var/openldap-data/db/externals


database        ldbm
suffix          "o=Apple Computer"
dbcachesize     300000000
cachesize       300000000
rootdn          "cn=Manager,o=Apple Computer"
rootpw          {SSHA}qn1ASsCqSO4wUbZPRmgUc0e3eZgbACdE
replica         host=etsx4.apple.com:389
               binddn="cn=Manager,o=Apple Computer"
               bindmethod=simple
               credentials=secret
directory       /ngs/app/openldap/apple_openldap/var/openldap-data/db/apple


the replicas slapd.conf looks like:

database        ldbm
suffix          "ou=Groups, o=Apple Computer"
subordinate     "o=Apple Computer"
dbcachesize     500000000
rootdn          "cn=Manager,o=Apple Computer"
updatedn        "cn=Manager,o=Apple Computer"
updateref       ldap://etsx1.apple.com
cachesize       500000000
directory       /ngs/app/openldap/apple_openldap/var/openldap-data/db/groups


database        ldbm
suffix          "ou=Externals, o=Apple Computer"
subordinate     "o=Apple Computer"
dbcachesize     500000000
rootdn          "cn=Manager,o=Apple Computer"
updatedn        "cn=Manager,o=Apple Computer"
updateref       ldap://etsx1.apple.com
cachesize       500000000
directory       /ngs/app/openldap/apple_openldap/var/openldap-data/db/externals


database        ldbm
suffix          "o=Apple Computer"
dbcachesize     300000000
rootdn          "cn=Manager,o=Apple Computer"
rootpw          {SSHA}qn1ASsCqSO4wUbZPRmgUc0e3eZgbACdE
#rootpw          secret
updatedn        "cn=Manager,o=Apple Computer"
updateref       ldap://etsx1.apple.com
cachesize       300000000
directory       /ngs/app/openldap/apple_openldap/var/openldap-data/db/apple