[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs: restrict by IP and user
On Thu, Apr 28, 2016 at 09:15:09AM -0400, Aaron Richton wrote:
> >But if I put this kind of an ACL entry to my proxy, when a member of the group
> >"cn=somegroup,ou=somebranch,dc=dom,dc=ain" tries to access somethingPrivate,
> >the ACL checker falls all the way through to the "by * none" WHO clause and no
> >access is granted.
>
> I think I'd start with some basics here: what does ldapcompare(1) show about
> group membership (or lack thereof)? Does it match/disagree with slapd "acl"
> debugging output?
It matches.
> >I have added the acl-authcDN and acl-passwd config lines to my meta backend
> >config after the URI, but they don't seem to have any effect. Moreover, I found
>
> I believe that back-meta, like back-ldap, is transitioning toward the
> acl-bind directive. For now, this appears (perhaps unfortunately) to only be
> documented in the slapd-ldap(5) man page. So take a look at that too.
>
> >I'm running 2.4.39 from the RHEL 7 distribution.
>
> I don't know how many patches RHEL may (or may not) backport for you, but I
> know that some significant improvements have been made since 2.4.39,
> including some back-meta logging enhancements that might make this process a
> bit easier. You should consider using the latest 2.4 release instead.
I can't use back-ldap because I have two mirroring backend servers I want to
connect to (in case one of them fails) and that is precisely the functionality
I require from back-meta.
Looking at the code, my version of back-meta doesn't know anything about
acl-bind (back-ldap does). It does know about acl-authcdn and acl-passwd,
though. From back-meta/config.c:
--clip--
case LDAP_BACK_CFG_ACL_AUTHCDN:
case LDAP_BACK_CFG_ACL_PASSWD:
/* FIXME no point here, there is no code implementing
* their features. Was this supposed to implement
* acl-bind like back-ldap?
*/
rc = 1;
break;
--clip--
So, um. Maybe I'll have a look at the latest 2.4 code next. Thanks for the
reply.
--Janne