Re: ACL on referral object (chaining) does not work

[Pierangelo Masarati <masarati@aero.polimi.it>]

Kay.Kirchhoefer@t-systems.com wrote:
> Hi,
>  
> I have a question regarding ACL used together with chaining overlay configuration. I´m building several ldap servers which should chain each other, based on the selected path. I now wanted to prevent a chaining loop by using ACLs, but that doesn´t work for me. It seems like the ACL is not used for the referral objects.
>  
> sample referral object:
>     dn: o=testldap2,c=de
>     objectClass: referral
>     objectClass: extensibleObject
>     o=testldap2
>     ref: ldap://testldap2/c=de <ldap://testldap2/c=de> 
>  
> chaining config:
>     overlay chain
>     chain-uri ldap://testldap2 <ldap://testldap2> 
>     chain-rebind-as-user yes
>     chain-idassert-bind bindmethod="simple"
>         binddn="cn=xxxxxx"
>         credentials="yyyy"
>         mode="self"
>     chain-max-depth 1
>     chain-return-error TRUE
>  
> ACL config:
>     access to dn.base="o=testldap2,c=de"
>         by peername.ip=192.168.1.1 none
>         by * read
>  
>  
> 192.168.1.1 is the ip address of "testldap2". Everytime a request from this ip occurs, the server should block the access to the (referral) object because it must be a "chained" request
>  
> But that doesn´t work. Also the parameter "chain-max-depth" seems not to work. I´m currently using OpenLDAP version 2.3.20 (but I also tried the latest one).

Not sure, I haven't tried and I'm writing it by heart, but you should 
probably add a "chain-acl-bind" instruction, whose syntax is almost the 
same as the chain-idassert-bind, except for the "mode" parameter that is 
not required (nor allowed).

p.