[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Replication account problem

To: Vincent Ducot <vincent.ducot@rubycat.eu>, openldap-technical@openldap.org
Subject: Re: Replication account problem
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Mon, 13 Jan 2020 08:24:23 -0800
Content-disposition: inline
Dkim-filter: OpenDKIM Filter v2.10.3 zmcc-2-mta-1.zmailcloud.com 90A85C08ED
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=symas.com; s=37C7994C-28CA-11EA-A30F-68F90BB9D764; t=1578932665; bh=CwHzyv+PsVF0lGA2PdMC8tKidRWBqR4+GwAO7wu85kM=; h=Date:From:To:Message-ID:MIME-Version; b=Gh0TtdMZf1Lqfk4kDHEj+hJkhTdfvd1Xpb8pI1P+9C1huG5+i3+hcWIvT6ruDL/ym 0/aYfkbHaNFCqixnJ5d7Qy1p+9jcZtDrBqI/nMFLGhNrOd7h8Owx3mS+QKl83SazrB LQxj9//3ANKSYSFp55FxxIqvyBFR6i0nxTt9ohSSUD5oiqXeizAMtbmuYnGPt9d3yy 2BMcB2f+6pwgmTNCjepvMVftNCM9IJV7t9b+R4QbfW279D+/BZOareQJi+HjG2wdZQ Cz6GLLyTaDK2rNa11C1nArjknDosSNQhMFd5X+Kil1Oe8CAjM6uHPKL0cknQ3PfMAl K6xsgYBJHTXnA==
In-reply-to: <edf16a7e-4a72-18e9-d743-e4302bfdb0b6@rubycat.eu>
References: <f0329178-d3c7-e121-a39b-f525d5814dd3@rubycat.eu> <21AF0BBF8D8F200B382C85B6@[192.168.1.144]> <6f97400f-404e-ebed-00a5-6de166af96e5@rubycat.eu> <4153400F98CD378339769248@[192.168.1.144]> <edf16a7e-4a72-18e9-d743-e4302bfdb0b6@rubycat.eu>

--On Monday, January 13, 2020 4:53 PM +0100 Vincent Ducot<vincent.ducot@rubycat.eu> wrote:


Hi,

yes, I understand the processing order. So something like this should
work, right ?

No. All access to userPassword is stopped by your very first ACL, nofurther ACLs for it will apply, as I already stated. Again, ACL processingSTOPs at the FIRST matching rule. Additionally, a replication user onlyneeds read access to read data off the master. It does not need explicitwrite access to its local db.

olcAccess: to attrs=userPassword by anonymous auth
 olcAccess: to * by dn="uid=rpuser,dc=foo,dc=bar" write
 olcAccess: to attrs=userPassword by self write by * none
 olcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by
users read by * none

So in the above, any and all access to userPassword STOPs at the "byanonymous auth access". Any other type of request for access touserPassword will be denied.


You most likely want something more like:

olcAccess: to attrs=userPassword by anonymous auth by self write bydn.exact="uid=rpuser,dc=foo,dc=bar" readolcAccess: to * by dn="cn=admin,dc=foo,dc=bar" write by self write by usersread by * none

This appears to encapsulate the permissions you're trying to set up in theabove.

Note that a "user" is *any* identity that succesfully authenticated to theLDAP server, so the "rpuser" is already covered in the "to *" access lineby the rule "by users read".


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Follow-Ups:
- Re: Replication account problem
  - From: Vincent Ducot <vincent.ducot@rubycat.eu>

References:
- Replication account problem
  - From: Vincent Ducot <vincent.ducot@rubycat.eu>
- Re: Replication account problem
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Replication account problem
  - From: Vincent Ducot <vincent.ducot@rubycat.eu>
- Re: Replication account problem
  - From: Quanah Gibson-Mount <quanah@symas.com>
- Re: Replication account problem
  - From: Vincent Ducot <vincent.ducot@rubycat.eu>

Prev by Date: Re: Antw: Re: Openldap support SHA-256 or SHA-3.
Next by Date: RE24 testing call (2.4.49) LMDB RE0.9 testing call (0.9.25)
Index(es):
- Chronological
- Thread