[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs: restrict by IP and user



On Thu, Apr 28, 2016 at 09:15:09AM -0400, Aaron Richton wrote:
> >But if I put this kind of an ACL entry to my proxy, when a member of the group
> >"cn=somegroup,ou=somebranch,dc=dom,dc=ain" tries to access somethingPrivate,
> >the ACL checker falls all the way through to the "by * none" WHO clause and no
> >access is granted.
> 
> I think I'd start with some basics here: what does ldapcompare(1) show about
> group membership (or lack thereof)? Does it match/disagree with slapd "acl"
> debugging output?

It matches.

> >I have added the acl-authcDN and acl-passwd config lines to my meta backend
> >config after the URI, but they don't seem to have any effect. Moreover, I found
> 
> I believe that back-meta, like back-ldap, is transitioning toward the
> acl-bind directive. For now, this appears (perhaps unfortunately) to only be
> documented in the slapd-ldap(5) man page. So take a look at that too.
> 
> >I'm running 2.4.39 from the RHEL 7 distribution.
> 
> I don't know how many patches RHEL may (or may not) backport for you, but I
> know that some significant improvements have been made since 2.4.39,
> including some back-meta logging enhancements that might make this process a
> bit easier. You should consider using the latest 2.4 release instead.

I can't use back-ldap because I have two mirroring backend servers I want to
connect to (in case one of them fails) and that is precisely the functionality
I require from back-meta.

Looking at the code, my version of back-meta doesn't know anything about
acl-bind (back-ldap does). It does know about acl-authcdn and acl-passwd,
though. From back-meta/config.c:

--clip--
                case LDAP_BACK_CFG_ACL_AUTHCDN:
                case LDAP_BACK_CFG_ACL_PASSWD:
                        /* FIXME no point here, there is no code implementing
                         * their features. Was this supposed to implement
                         * acl-bind like back-ldap?
                         */
                        rc = 1;
                        break;
--clip--

So, um. Maybe I'll have a look at the latest 2.4 code next. Thanks for the
reply.


--Janne