[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control with pbind overlay

To: openldap-technical@openldap.org
Subject: Re: access control with pbind overlay
From: Dieter Klünter <dieter@dkluenter.de>
Date: Mon, 29 Sep 2014 12:21:28 +0200
In-reply-to: <87bnpylqxm.fsf@lant.ki.iif.hu>
Organization: AVCI
References: <87siji1zre.fsf@lant.ki.iif.hu> <87zjdjs880.fsf@lant.ki.iif.hu> <20140929094926.35a42c9d@pink.avci.de> <87bnpylqxm.fsf@lant.ki.iif.hu>

Am Mon, 29 Sep 2014 11:24:53 +0200
schrieb Ferenc Wagner <wferi@niif.hu>:

> Dieter Klünter <dieter@dkluenter.de> writes:
> 
> > Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner
> > <wferi@niif.hu>:
> >
> >> Ferenc Wagner <wferi@niif.hu> writes:
> >> 
> >>> I've got a partial syncrepl replica, which (among others) misses
> >>> the userPassword attributes of the provider database.  I added a
> >>> pbind overlay to the replica, which forwards binds to the
> >>> provider, thus it became possible to do simple binds against the
> >>> replica.  But access control on the replica does not honor these
> >>> binds properly: "by users" works, but "by self" does not.  Before
> >>> I waste too much time debugging: is it supposed to work at all?
> >>> I tested this under 2.4.31 with:
> >>>
> >>> dn: olcDatabase={1}mdb,cn=config
> >>> olcAccess: to * by
> >>> dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth
> >>> read by self read by * none olcSyncrepl: rid=1 [...]
> >>>
> >>> The external auth part works, and if I replace self with users,
> >>> that works as well (but is not what I want).  Do I expect too
> >>> much?
> >> 
> >> Would anybody please provide some guidance on this problem?
> >
> > define an authorization regular expression in order to map sasl auth
> > string to a DN.
> 
> The SASL auth part works as is, no problem with that, I included it
> only to keep the olcAccess attribute verbatim.  But I'd like to get
> the "read by self" part work with simple binds.  But these binds must
> be done through the pbind overlay, as userPassword in not
> replicated.  Pbind works to some extent, as binding only succeeds
> with the correct password, but the "by self" selector does not fire,
> as if the remote and local DN were treated as different.  Or is this
> what you imply, that I still need a mapping in this case?

Define a DN in the access rules, as 'self' must match a DN.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Follow-Ups:
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>

References:
- access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: access control with pbind overlay
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>

Prev by Date: MMR - Add and delete entry on on server, CSN too old on the other and the entry is not deleted
Next by Date: Re: access control with pbind overlay
Index(es):
- Chronological
- Thread