Re: meta backend config problem

[Julien Oix <Julien.Oix@paris7.jussieu.fr>]

Alex Samad wrote:
> On Tue, Jan 23, 2007 at 04:31:56PM +0100, Julien Oix wrote:
>   
> > hi everyone,
> >
> > I made a previous post, but noone answered, so I try again :)
> >
> > I'm trying to deploy a meta directory using the OpenLdap meta backend.
> >
> > I'm using the slapd Etch Debian package, version 2.3.27-1
> >
> > when my target server includes the next ACL, eveything is fine, I can
> > retrieve any data by the meta directory using ldapsearch, it works fine
> >
> > ##
> >
> > access to attrs=userPassword
> >        by dn="cn=admin,dc=toto,dc=fr" write
> >        by anonymous auth
> >        by self write
> >        by * none
> >
> > and
> >
> > access to *
> >        by dn="cn=admin,dc=toto,dc=fr" write
> >        by * read
> >
> > ##
> >
> > but I want only authentified connections (no anonymous bind, if i'm 
> > right) to have read access, so I change the ACL like that
> >
> > ##
> >
> > access to attrs=userPassword,shadowLastChange
> >        by dn="cn=admin,dc=toto,dc=fr" write
> >        by anonymous auth
> >        by self write
> >        by * none
> >
> > and
> >
> > access to *
> >        by dn="cn=admin,dc=toto,dc=fr" write
> >        by self read
> >        by anonymous auth
> >        by * none
> >     
>
> Why not change this to 
>
>  access to *
>         by dn="cn=admin,dc=toto,dc=fr" write
>         by users read
>         by * none
>
>
> the above line say's only allow self to access *, so if the object is the dn
> for the user it is allowed to read, but it is not allow to read any thing else
>
>   
> > ##
> >
> > So, for this target, i'm adding the acl-authcDN and acl-passwd
> > directives to the meta directory, with the target's rootdn and rootpw 
> > values, in order to enable ACL checking and matching (in that case, the 
> > write privilege for dn="cn=admin,dc=toto,dc=fr")
> >
> > giving this in the meta backend conf
> >
> > ##
> > database        meta
> >
> > suffix          "dc=meta-ufr-info-p7,dc=jussieu,dc=fr"
> >
> > uri             "ldap://localhost:389/dc=meta-ufr-info-p7,dc=jussieu,dc=fr";
> > suffixmassage   "dc=meta-ufr-info-p7,dc=jussieu,dc=fr" "dc=toto,dc=fr"
> >
> > acl-authcDN "cn=admin,dc=toto,dc=fr"
> > acl-passwd "xxxxx"
> > ##
> >
> > But at this moment, I can't retrieve any data anymore, as I perform an
> > ldapsearch by the meta directory ....
> >
> > Is there anything wrong in my conf ?
> >
> > the slapd-meta man page says about acl-authcDN directives : "it is
> > supposed to have read access on the target server to attributes  used
> > on  the  proxy  for  acl checking."
> >
> > what does that mean exactly ? :)
> >     
>
> haven't looked at meta data
>   
Hi Alex,

i know what U mean, but it doesn't change anything to my problem, 
because I try to connect to the target "dc=toto,dc=fr" whith it's root 
dn that would be matched by the line :

by dn="cn=admin,dc=toto,dc=fr" write

my question is : am I right to think that the acl-* directives values 
used in a target configuration really are the dn used to bind to that 
target :)


Thanks !


--
Julien Oix
UFR d'Informatique - Université Paris Diderot

Bureau 5C01 (5ème étage)
175 rue du Chevaleret
75013 PARIS

Tel : +33 (0) 144 278 504
Mobile : +33 (0) 664 392 207
---------------------------------------------
http://www.gnu.org/philosophy/no-word-attachments.html