[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs being ignored with rwm/relay



Hi,

Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!

ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk

does not return userPassword attributes (the -D is convenience, no auth is performed).


However,

ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk

Does return userPassword - which is what I want. The UNIX domain socket is protected under a root directory mode 700 so only root can connect this way - ie, local root use has full unauthenticated access to ldap which is what I want, so that scripts may easily be run to maintain the LDAP database.


Thanks again for your help :)

Cheers,

Tim



#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        -1

# Where the dynamically loaded modules are stored
modulepath	/usr/lib/ldap
moduleload	back_hdb
moduleload	back_relay
moduleload	rwm

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

allow bind_anon_cred bind_anon_dn update_anon

backend		hdb
#backend		<other>

overlay rwm
rwm-rewriteEngine on

#######################################################################
# ACLs
#
access to attrs=userPassword,shadowLastChange
        by peername.path="/var/run/slapd/ldapi" write
        by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by peername.path="/var/run/slapd/ldapi" write
        by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
        by self write
        by * read

#######################################################################
# Virtual maps
#
# map ou=staff,dc=cch to dc=dighum
#
database                relay
suffix                  "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk"
relay                   "dc=dighum,dc=kcl,dc=ac,dc=uk"
overlay                 rwm
rwm-suffixmassage       "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map ou=external,dc=cch to dc=dighum
#
#database                relay
#suffix                  "ou=external,dc=cch,dc=kcl,dc=ac,dc=uk"
#relay                   "dc=dighum,dc=kcl,dc=ac,dc=uk"
#overlay                 rwm
#rwm-suffixmassage       "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map ou=student,dc=cch to dc=dighum
#
#database                relay
#suffix                  "ou=student,dc=cch,dc=kcl,dc=ac,dc=uk"
#relay                   "dc=dighum,dc=kcl,dc=ac,dc=uk"
#overlay                 rwm
#rwm-suffixmassage       "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map ou=project,dc=cch to dc=dighum
#
#database                relay
#suffix                  "ou=project,dc=cch,dc=kcl,dc=ac,dc=uk"
#relay                   "dc=dighum,dc=kcl,dc=ac,dc=uk"
#overlay                 rwm
#rwm-suffixmassage       "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map dc=cch to dc=dighum
#
database                relay
suffix                  "dc=cch,dc=kcl,dc=ac,dc=uk"
relay                   "dc=dighum,dc=kcl,dc=ac,dc=uk"
overlay                 rwm
rwm-suffixmassage       "dc=dighum,dc=kcl,dc=ac,dc=uk"



#######################################################################
# Specific Directives for database dighum
#
database        hdb
suffix          dc=dighum,dc=kcl,dc=ac,dc=uk
rootdn          "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk"
rootpw          "e1NTSEF9TnkzOUx6aGZCRnQvOUIwQzZOeFIvcGtVcXRQWkZObXI="
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30

#######################################################################
# Specific Directives for database #2, of type 'other' (can be @BACKEND@ too):
#database        <other>
#suffix		"dc=debian,dc=org"

--
Tim Watts
Personal Blog: http://www.dionic.net/tim/