[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: meta backend config problem

To: openldap-software@openldap.org
Subject: Re: meta backend config problem
From: Alex Samad <alex@samad.com.au>
Date: Wed, 24 Jan 2007 07:21:02 +1100
Content-disposition: inline
In-reply-to: <45B62A6C.2020102@paris7.jussieu.fr>
Mail-followup-to: openldap-software@openldap.org
References: <45B62A6C.2020102@paris7.jussieu.fr>
User-agent: Mutt/1.5.13 (2006-08-11)

On Tue, Jan 23, 2007 at 04:31:56PM +0100, Julien Oix wrote:
> hi everyone,
> 
> I made a previous post, but noone answered, so I try again :)
> 
> I'm trying to deploy a meta directory using the OpenLdap meta backend.
> 
> I'm using the slapd Etch Debian package, version 2.3.27-1
> 
> when my target server includes the next ACL, eveything is fine, I can
> retrieve any data by the meta directory using ldapsearch, it works fine
> 
> ##
> 
> access to attrs=userPassword
>        by dn="cn=admin,dc=toto,dc=fr" write
>        by anonymous auth
>        by self write
>        by * none
> 
> and
> 
> access to *
>        by dn="cn=admin,dc=toto,dc=fr" write
>        by * read
> 
> ##
> 
> but I want only authentified connections (no anonymous bind, if i'm 
> right) to have read access, so I change the ACL like that
> 
> ##
> 
> access to attrs=userPassword,shadowLastChange
>        by dn="cn=admin,dc=toto,dc=fr" write
>        by anonymous auth
>        by self write
>        by * none
> 
> and
> 
> access to *
>        by dn="cn=admin,dc=toto,dc=fr" write
>        by self read
>        by anonymous auth
>        by * none

Why not change this to 

 access to *
        by dn="cn=admin,dc=toto,dc=fr" write
        by users read
        by * none


the above line say's only allow self to access *, so if the object is the dn
for the user it is allowed to read, but it is not allow to read any thing else

> ##
> 
> So, for this target, i'm adding the acl-authcDN and acl-passwd
> directives to the meta directory, with the target's rootdn and rootpw 
> values, in order to enable ACL checking and matching (in that case, the 
> write privilege for dn="cn=admin,dc=toto,dc=fr")
> 
> giving this in the meta backend conf
> 
> ##
> database        meta
> 
> suffix          "dc=meta-ufr-info-p7,dc=jussieu,dc=fr"
> 
> uri             "ldap://localhost:389/dc=meta-ufr-info-p7,dc=jussieu,dc=fr";
> suffixmassage   "dc=meta-ufr-info-p7,dc=jussieu,dc=fr" "dc=toto,dc=fr"
> 
> acl-authcDN "cn=admin,dc=toto,dc=fr"
> acl-passwd "xxxxx"
> ##
> 
> But at this moment, I can't retrieve any data anymore, as I perform an
> ldapsearch by the meta directory ....
> 
> Is there anything wrong in my conf ?
> 
> the slapd-meta man page says about acl-authcDN directives : "it is
> supposed to have read access on the target server to attributes  used
> on  the  proxy  for  acl checking."
> 
> what does that mean exactly ? :)

haven't looked at meta data
> 
> 
> Thanks.
> -- 
> Julien Oix
> UFR d'Informatique - Université Paris Diderot
> 
> Bureau 5C01 (5ème étage)
> 175 rue du Chevaleret
> 75013 PARIS
> 
> Tel : +33 (0) 144 278 504
> Mobile : +33 (0) 664 392 207
> ---------------------------------------------
> http://www.gnu.org/philosophy/no-word-attachments.html
> 
>

Attachment: signature.asc
Description: Digital signature

Follow-Ups:
- Re: meta backend config problem
  - From: Julien Oix <Julien.Oix@paris7.jussieu.fr>

References:
- meta backend config problem
  - From: Julien Oix <Julien.Oix@paris7.jussieu.fr>

Prev by Date: Re: backend-meta usage
Next by Date: Re: backend-meta usage
Index(es):
- Chronological
- Thread