[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Acl on a replicated tree: unable to bind as user

To: openldap-technical@openldap.org
Subject: Re: Acl on a replicated tree: unable to bind as user
From: Dieter Klünter <dieter@dkluenter.de>
Date: Tue, 27 Feb 2018 13:49:41 +0100
In-reply-to: <4a229309-3801-1ea3-5219-a23fcaa8bc1b@enter.eu>
Organization: AVCI
References: <4a229309-3801-1ea3-5219-a23fcaa8bc1b@enter.eu>

Am Tue, 27 Feb 2018 09:42:12 +0100
schrieb Giuseppe Civitella <gcivitella@enter.eu>:

> Hi all,
> 
> I've got a master / slave replica setup. I did use this tutorial to
> set up the replica:
> 
> https://wiki.debian.org/LDAP/OpenLDAPSetup
> 
> My ldap tree is something like: Root -> o=(first level local branch),
> o=(first level replicated branch).
> 
> The local branch is just a cut and paste of the replicated branch.
> 
> On the slave server I can use the replicated branch to authenticate
> against a Radius server.
> 
> On the master server I realized I cannot let web users authenticate
> against the replicated branch.
> 
> If I try to bind as a user from the replicated branch, on both the
> master and the slave, I get:
> 
> ldapwhoami -H ldap://localhost -D
> "uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W
> 
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
> 
> On the master, on the local branch, I get:
> 
> ldapwhoami -H ldap://localhost -D
> "cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W
> 
> Enter LDAP Password:
> dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is
> 
> 
> I did try to configure the acl on the server to disallow anonymous
> bind.
> 
> And, once found this problem, I did try to create a bind user
> (uid=read_only) able to read the replicated branch, userPassword attrs
> included.
> 
> Unfortunately this did not solve the problem.
> 
> My acl on the master are:
> 
> dn: olcDatabase={1}mdb
> objectClass: olcDatabaseConfig
> objectClass: olcMdbConfig
> olcDatabase: {1}mdb
> olcDbDirectory: /var/lib/ldap
> olcSuffix: dc=who,dc=is
> olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by
> dn="uid=read_only,ou =binds,dc=who,dc=is" read
> olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by
> dn="uid=isi_replica, ou=binds,dc=who,dc=is" read
> olcAccess: {2}to attrs=userPassword by self write by anonymous auth
> by * non e
> olcAccess: {3}to attrs=shadowLastChange by self write by * read
> olcAccess: {4}to * by users read
> 
> 
> I'm quite new to this kind of setup, is this something to be expected?
> Is there a way to bind directly on the replicated branch?

Run slapd(8) in debug mode acl. Note debuging is not equal to loging!

-Dieter


-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- Acl on a replicated tree: unable to bind as user
  - From: Giuseppe Civitella <gcivitella@enter.eu>

Prev by Date: Acl on a replicated tree: unable to bind as user
Next by Date: LMDB: EIO/MDB_INVALID and use of pwrite/pread
Index(es):
- Chronological
- Thread