[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#5601) set-acl failure under back-ldap+rwm

To: openldap-its@OpenLDAP.org
Subject: Re: (ITS#5601) set-acl failure under back-ldap+rwm
From: ando@sys-net.it
Date: Sat, 12 Jul 2008 12:35:08 GMT

ando@sys-net.it wrote:
	> mbackes@symas.com wrote:
> 
> The reason is quite simple: set expansion uses the rewritten DN as the 
> user's name, so a local lookup of the entry "cn=user,dc=remote" fails 
> since no local database serves the naming context "dc=remote".  The root 
> cause is that back-ldap binds as the rewritten DN, which is later stored 
> as the real identity.  I think this was done on purpose, and is to some 
> extent appropriate, but makes the type of ACL you want to design 
> basically impossible.  A solution would be to make slapo-rwm intercept 
> successful binds (in the cleanup callback) and rewrite back the bound DN 
> into the virtual naming context.  I'll see if it is possible, but then 
> we need to decide whether this is the desired behavior.  Otherwise, we'd 
> need to have two o_ndn fields: the real DN and the real-real DN.

To further elaborate, even if the virtual DN is set instead of the real 
one in c_ndn, the operation fails because ACL checking passes through 
bi_entry_get_rw(), which is not provided by slapo-rwm, and can't be 
provided according to the current design, since it does not allow to 
massage the arguments.  As a quick'n'dirty fix, what you can do is make 
the proxy database serve both naming contexts, namely

database ldap
suffix "dc=remote,dc=local"
suffix "dc=remote"
uri "ldap://127.0.0.1:2389";
acl-bind bindmethod=simple
         binddn="cn=user,dc=remote"
         credentials=secret
overlay rwm
rwm-suffixmassage "dc=remote,dc=local" "dc=remote"

This allows the proxy database to be found by select_backend() when 
searching the right backend using the real naming context.  At the same 
time, internal searches occur as expected.

This is a hack; the real fix requires to redesign the API of 
bi_entry_get_rw(), to let it modify the request arguments while letting 
the real function do the hard job.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------

Prev by Date: Re: (ITS#5601) set-acl failure under back-ldap+rwm
Next by Date: Re: (ITS#5599) slapd dies on erroneous MOD input
Index(es):
- Chronological
- Thread