I have a configuration somewhat similar to the one below and the ACLs
seem to be applied using the non-rewritten DN which causes the self
specifier to never match.
We are in the process of configuring a more secure LDAP server with
stricter ACLs and extra security checks without affecting existing
applications. For this purpose we are putting a rewriting proxy in front
of several legacy LDAP servers. Ideally, the ACLs would be put in place
on the original servers but this is not easily possible in this
environment.
Is this a bug or am I doing something wrong?
Configuration snippet (simplified and anonymised):
access to attrs=userPassword
by self =xw
by anonymous auth
by * none
access to *
by self read
by * search
database ldap
suffix "ou=department1,dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
subordinate
uri "ldap://192.168.1.1";
overlay rwm
rwm-suffixmassage "ou=department1,dc=example,dc=com" "dc=department1,dc=local"
database ldap
suffix "ou=department2,dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
subordinate
uri "ldap://192.168.1.2";
overlay rwm
rwm-suffixmassage "ou=department2,dc=example,dc=com" "dc=department2,dc=local"
database bdb
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=example,dc=com"
rootpw {SSHA}5OWnUtaKRBk7x0UBQKO/HOgMZQoCczY5
directory /var/openldap-data
cachesize 1000
index objectClass eq
index cn,mail pres,eq,sub
index uid,uidNumber pres,eq
Part of the slapd output with -d 896 (again, anonymised):
5295fbb1 conn=1000 fd=27 ACCEPT from IP=127.0.0.1:48903 (IP=0.0.0.0:3389)
5295fbb1 conn=1000 op=0 BIND dn="uid=ldaptest,ou=People,ou=department2,dc=example,dc=com" method=128
5295fbb1 conn=1000 op=0 BIND dn="uid=ldaptest,ou=People,dc=department2,dc=local" mech=SIMPLE ssf=0
5295fbb1 conn=1000 op=0 RESULT tag=97 err=0 text=
5295fbb1 conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
5295fbb1 => access_allowed: search access to "dc=example,dc=com" "entry" requested
5295fbb1 => dn: [1]
5295fbb1 => acl_get: [3] attr entry
5295fbb1 => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
5295fbb1 => acl_mask: to all values by "uid=ldaptest,ou=people,dc=department2,dc=local", (=0)
5295fbb1 <= check a_dn_pat: self
5295fbb1 <= check a_dn_pat: *
5295fbb1 <= acl_mask: [2] applying search(=scxd) (stop)
5295fbb1 <= acl_mask: [2] mask: search(=scxd)
5295fbb1 => slap_access_allowed: search access granted by search(=scxd)
5295fbb1 => access_allowed: search access granted by search(=scxd)
[...]
5295fbb2 => access_allowed: read access to "uid=ldaptest,ou=People,ou=department2,dc=example,dc=com" "entry" requested
5295fbb2 => dn: [1]
5295fbb2 => acl_get: [3] attr entry
5295fbb2 => acl_mask: access to entry "uid=ldaptest,ou=People,ou=department2,dc=example,dc=com", attr "entry" requested
5295fbb2 => acl_mask: to all values by "uid=ldaptest,ou=people,dc=department2,dc=local", (=0)
5295fbb2 <= check a_dn_pat: self
5295fbb2 <= check a_dn_pat: *
5295fbb2 <= acl_mask: [2] applying search(=scxd) (stop)
5295fbb2 <= acl_mask: [2] mask: search(=scxd)
5295fbb2 => slap_access_allowed: read access denied by search(=scxd)
5295fbb2 => access_allowed: no more rules
5295fbb2 send_search_entry: conn 1000 access to entry (uid=ldaptest,ou=People,ou=department2,dc=example,dc=com) not allowed
The DN that is used seems to be uid=ldaptest,ou=people,
dc=department2,dc=local which is how we were bound to the second LDAP
server.
Thanks
ps, I would also be very interested in a solution for
http://www.openldap.org/lists/openldap-technical/201302/msg00152.html
--
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
Attachment:
signature.asc
Description: This is a digitally signed message part