[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP ACLs Question



Hi,

We have three OpenLDAP servers: 10.0.0.2, 10.0.0.3 and 10.0.0.4 and one web server 10.0.0.5.

For a long time we've had two baseDN databases running on the OpenLDAP servers with ACLs configured so that anyone on the subnet can read anything in the system and our replication has been working well.

Recently, we've added the third database with more restrictive ACLs that look like this:

============================================================
access to *
 by dn="uid=replicator,ou=People,dc=bar" read
 by * break

access to attrs=userPassword,sambaNTPassword
 by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write
 by self write
 by anonymous auth
 by * none

access to attrs=entry,uid,cn,sn,givenName,title,departmentNumber,mail,telephoneNumber,roomNumber
 by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write
 by users read
 by * none

access to *
 by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write
 by * none
============================================================

With these ACLs, replication works when anyone in the ldap-admins group posts an update to the server.  However, if a user updates their own password, replication does not take place.  If we change the last access clause to this:

============================================================
access to *
 by group/groupOfNames/Member="cn=ldap-admins,ou=Group,dc=bar" write
 by peername.regex="10\.0\.0\.5" read
 by * none
============================================================

then the user self-updates are replicated properly.  Note that 10.0.0.5 is the *web server*.  The way I read this ACL, it means we're granting read access to the web server, and in so doing, the other two LDAP servers (10.0.0.3 and 10.0.0.4) are magically able to replicate data again.

When replication is *not* working in this set-up, re-starting slapd on 10.0.0.3 and 10.0.0.4 (without changing any ACLs anywhere) causes them to suck down all the updates they missed before.

Am I misunderstanding the way these ACLs work?  Is there any way that giving READ access to the web server (which it already has by virtue of the user having bound themselves to the LDAP server) should cause replication for 10.0.0.3 and 10.0.0.4 to work again?  Or is this perhaps a bug in the version of slapd (2.3.43; yes I know it's old; it's a vendor package and that's how we roll around here at the moment) that we're running?

I'm not really asking anyone to fix the problem or to offer a solution to the problem...I just want to know if this sort of replication issue was a known problem in the past?


Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354