Re: ACLs: restrict by IP and user

[Janne Peltonen <janne.peltonen@helsinki.fi>]

On Thu, Apr 28, 2016 at 11:05:03AM -0400, Aaron Richton wrote:
> >But we're having a migration phase during which we need to proxy
> >one subtree of our database from an old backend service. So
> >everything else comes from those two backends but one branch; it
> >comes from a third one. And that would require back-meta, I think.
> >So apparently we'll have to think a way around that, maybe by just
> >copying those entries over using a perl script or something...
> 
> Depends what you're doing. Perhaps multiple subordinate back-ldap's
> (maybe with a back-null at the top to glue everything together)?
> And/or create the three back-ldap's under (perhaps unpublished)
> unique suffix, then back-relay everything together?

I tried subordinate back-ldaps, sth like this:

---
database ldap
suffix ou=foo,ou=bar,dc=dom,dc=ain
uri ldap://migration.server/
overlay rwm
rwm-suffixmassage "ou=foo,ou=bar,dc=dom,dc=ain" "ou=some,o=thing"
tls propagate

database ldap
suffix dc=dom,dc=ain
uri ldap://backend-1.server/ ldap://backend-2.server/
tls propagate
---

And it mostly worked. Except when I tried to do a subtree search like
so:

ldapsearch -xZZH ldap://ldap-proxy.server -b ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server'

it returned nothing, whereas 

ldapsearch -xZZH ldap://ldap-proxy.server -b ou=foo,ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server'

returned the entry. With back-meta, I can base the search on a branch
that resides on one backend server and it also searches other backend
servers that contain sub-branches of that branch; the first kind of
search worked.

Then I tried gluing things together with back-relay. Sth like this.

---
database relay
suffix o=testing
overlay rwm
rwm-suffixmassage "ou=really,o=testing" "ou=some,o=thing"
rwm-suffixmassage "o=testing" "ou=bar,dc=dom,dc=ain"

database ldap
suffix ou=some,o=thing
uri ldap://migration.server/
tls propagate

database ldap
suffix dc=dom,dc=ain
uri ldap://backend-1.server/ ldap://backend-2.server/
tls propagate
---

But the result was similar.

ldapsearch -xZZH ldap://ldap-proxy.server -b o=testing 'uid=sth_in_migr_server'

->nothing found

ldapsearch -xZZH ldap://ldap-proxy.server -b ou=really,o=testing 'uid=sth_in_migr_server'

->found entry

(and of course, if I put the rwm-suffixmassage lines in the reverse
order, -b ou=really,o=testing resulted in "no such object" because there
really isn't a subtree 'ou=really,ou=bar,dc=dom,dc=ain" on the backend
servers)

So apparently, I can use back-ldap to proxy a separate branch of my
database to a separate server, but I cannot expect subtree searches
based on somewhere else to contain that separate branch?

Thanks again for the suggestions.


--Janne
-- 
Janne Peltonen <janne.peltonen@helsinki.fi> PGP Key ID: 0x9CFAC88B
Consider membership of the Hospitality Club (http://www.hospitalityclub.org)