[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Chain overlay and ACLs

> -----Original Message-----
> From: masarati@aero.polimi.it [mailto:masarati@aero.polimi.it]
> Sent: Thursday, June 11, 2009 3:11 PM
> To: John Kane
> Cc: openldap-technical@openldap.org
> Subject: Re: Chain overlay and ACLs
> > Noob question:
> >
> > I've set up chaining from my slave LDAP to the master.  It seemed
> > everything was working fine, until I realize that ANY user can now
> make
> > modifications in the LDAP DB if it is done from the slave.
> >
> > My ALCs allow full write access to the chain binddn.  If I don't set
> > this, chaining fails.  But with it set, any valid, authenticated
> > can make DB changes (full write access).
> >
> > I am confused as to why this is happening.
> Well, of course you're supposed to configure slapo-chain so that it
> uses
> the binddn only to authorize as the original request identity.  Within
> the
> wealth of info you provided you did not show how the chain overlay is
> configured (unless I missed it), but in any case you should follow
> indications here
> <http://www.openldap.org/doc/admin24/overlays.html#Chaining>
> (specifically, see the "chain-idassert-bind" stanza).
> p.

Knew I was forgetting something :)  Here's the overlay info from the

overlay                 chain
chain-uri               "ldap://
chain-idassert-bind bindmethod="simple"
#                       mode="self"
chain-tls               start
chain-max-depth         2
chain-return-error      TRUE
chain-rebind-as-user    TRUE


This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.