[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: meta backend config problem



Alex Samad wrote:
On Tue, Jan 23, 2007 at 04:31:56PM +0100, Julien Oix wrote:
hi everyone,

I made a previous post, but noone answered, so I try again :)

I'm trying to deploy a meta directory using the OpenLdap meta backend.

I'm using the slapd Etch Debian package, version 2.3.27-1

when my target server includes the next ACL, eveything is fine, I can
retrieve any data by the meta directory using ldapsearch, it works fine

##

access to attrs=userPassword
       by dn="cn=admin,dc=toto,dc=fr" write
       by anonymous auth
       by self write
       by * none

and

access to *
       by dn="cn=admin,dc=toto,dc=fr" write
       by * read

##

but I want only authentified connections (no anonymous bind, if i'm right) to have read access, so I change the ACL like that

##

access to attrs=userPassword,shadowLastChange
       by dn="cn=admin,dc=toto,dc=fr" write
       by anonymous auth
       by self write
       by * none

and

access to *
by dn="cn=admin,dc=toto,dc=fr" write
by self read
by anonymous auth
by * none

Why not change this to


 access to *
        by dn="cn=admin,dc=toto,dc=fr" write
        by users read
        by * none


the above line say's only allow self to access *, so if the object is the dn for the user it is allowed to read, but it is not allow to read any thing else

##

So, for this target, i'm adding the acl-authcDN and acl-passwd
directives to the meta directory, with the target's rootdn and rootpw values, in order to enable ACL checking and matching (in that case, the write privilege for dn="cn=admin,dc=toto,dc=fr")


giving this in the meta backend conf

##
database        meta

suffix          "dc=meta-ufr-info-p7,dc=jussieu,dc=fr"

uri             "ldap://localhost:389/dc=meta-ufr-info-p7,dc=jussieu,dc=fr";
suffixmassage   "dc=meta-ufr-info-p7,dc=jussieu,dc=fr" "dc=toto,dc=fr"

acl-authcDN "cn=admin,dc=toto,dc=fr"
acl-passwd "xxxxx"
##

But at this moment, I can't retrieve any data anymore, as I perform an
ldapsearch by the meta directory ....

Is there anything wrong in my conf ?

the slapd-meta man page says about acl-authcDN directives : "it is
supposed to have read access on the target server to attributes  used
on  the  proxy  for  acl checking."

what does that mean exactly ? :)

haven't looked at meta data
Hi Alex,

i know what U mean, but it doesn't change anything to my problem, because I try to connect to the target "dc=toto,dc=fr" whith it's root dn that would be matched by the line :

by dn="cn=admin,dc=toto,dc=fr" write

my question is : am I right to think that the acl-* directives values used in a target configuration really are the dn used to bind to that target :)


Thanks !


-- Julien Oix UFR d'Informatique - Université Paris Diderot

Bureau 5C01 (5ème étage)
175 rue du Chevaleret
75013 PARIS

Tel : +33 (0) 144 278 504
Mobile : +33 (0) 664 392 207
---------------------------------------------
http://www.gnu.org/philosophy/no-word-attachments.html