[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How can I make the unique overlay play nicely with my ACL?

Owen Jacobson wrote:
Hi there,

I'm trying to enforce that the 'uid' attribute is globally unique in my
using the unique overlay. For a collection of mostly-uninteresting reasons,
the LDAP server is publicly connectable but not publicly searchable (details
below). It appears that the unique overlay uses the *worst possible*
combination of credentials to perform the searches it uses to guarantee

All of the following information was obtained from ldapsearch -Y EXTERNAL
ldapi:/// -b cn=config -- it's really what slapd thinks it's seeing.

As you can see, (a) the IP address the search "comes from" is not the IP
address of the LDAP server nor is it the LDAP server's ldapi:// socket (it's
actually my client machine's IP address) and (b) the authenticated DN used in
the search is empty. Combined, these two facts lead to slapd deciding the
search is not permitted by the ACL, which in turn causes the unique overlay to
decide no other entries with the same uid exist. This seems wrong: the
connection from that IP and port has already authenticated as a user (which
would've permitted the search).

Assuming for the moment that allowing the world at large to search my LDAP
server is not an option, how can I allow the unique overlay to enforce my

Re-read the slapo-unique(5) manpage. Specifically the 3rd paragraph.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/