[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control with pbind overlay

To: openldap-technical@openldap.org
Subject: Re: access control with pbind overlay
From: Dieter Klünter <dieter@dkluenter.de>
Date: Mon, 29 Sep 2014 09:49:26 +0200
In-reply-to: <87zjdjs880.fsf@lant.ki.iif.hu>
Organization: AVCI
References: <87siji1zre.fsf@lant.ki.iif.hu> <87zjdjs880.fsf@lant.ki.iif.hu>

Am Mon, 29 Sep 2014 00:14:55 +0200
schrieb Ferenc Wagner <wferi@niif.hu>:

> Ferenc Wagner <wferi@niif.hu> writes:
> 
> > I've got a partial syncrepl replica, which (among others) misses the
> > userPassword attributes of the provider database.  I added a pbind
> > overlay to the replica, which forwards binds to the provider, thus
> > it became possible to do simple binds against the replica.  But
> > access control on the replica does not honor these binds properly:
> > "by users" works, but "by self" does not.  Before I waste too much
> > time debugging: is it supposed to work at all?  I tested this under
> > 2.4.31 with:
> >
> > dn: olcDatabase={1}mdb,cn=config
> > olcAccess: to * by
> > dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth
> > read by self read by * none olcSyncrepl: rid=1 [...]
> >
> > The external auth part works, and if I replace self with users, that
> > works as well (but is not what I want).  Do I expect too much?
> 
> Hi,
> 
> Would anybody please provide some guidance on this problem?

define an authorization regular expression in order to map sasl auth
string to a DN.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>

References:
- access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>

Prev by Date: Re: access control with pbind overlay
Next by Date: Re: access control with pbind overlay
Index(es):
- Chronological
- Thread