[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: How to hide namingContext in rootDSE ?
Hello,
First, thank you for your help :)
>> 1/ Is there a better way to do this, without rewrite V2 values ?
>
> Well, you can use multiple instances of back-relay instead of back-ldap,
> saving transliterations of requests and responses. I don't see other
> chances of rewriting the value of uniqueMember attributes.
Hum. I tried to apply your suggests. But with OpenLDAP 2.3.43 (2.4.* not
yet), I have a well formed "segmentation fault" ! So, for the moment, I
have only one back-relay instead of two.
> Probably, a solution here (for a future enhancement) would be to allow
> specifying when rewriting should take place (before or after mapping?),
> or simply be as liberal as possible, allowing rewriting when either
> before or after an attribute will have DN syntax. You can file an ITS
> for this.
OK, a good idea.
>> 2/ How can I hide my transitional LDAP suffix in the rootDSE ?
>
> Hiding values in namingContexts can be done using ACLs. What makes it
> tricky is that namingContexts, by (poor?) design has no EQUALITY rule,
> so if you write a rule like
>
> access to dn.exact="" attrs=namingContext val="o=example transitional"
> by * none
>
> will not work. You need to specify what equality rule to use, something
> like
>
> access to dn.exact=""
> attrs=namingContext
> val/distinguishedNameMatch="o=example transitional"
> by * none
OK. I also tried to apply this ACL. With some corrections, I have matching
ACL in my OpenLDAP log. But it does not work...
I have only these ACL defined :
8<--------
access to dn.exact=""
attrs=namingContexts val/distinguishedNameMatch="o=example transitional"
by * none
access to dn.base="" by * read
8<--------
The first should match when namingContexts are listed. But it doesn't, I
have read access on all values. I have inverted all ACLs, tried to apply
different scopes or more restrictive rights with some break/continue
controls, etc.
8<--------
Backend ACL: access to dn.base=""
attrs=namingContexts
val.base="o=example transitional"
by * none
Backend ACL: access to dn.base=""
by * read
Backend ACL: access to dn.base="cn=subschema"
by * read
[...]
=> access_allowed: search access to "" "objectClass" requested
=> dn: [1]
=> acl_get: [1] matched
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: read access to "" "entry" requested
=> dn: [1]
=> acl_get: [1] matched
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr entry
=> acl_mask: access to entry "", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [1]
=> acl_get: [1] matched
acl_get: val o=example transitional
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (read(=rscxd))
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (read(=rscxd))
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
8<--------
Any idea ?
Cheers,
Thomas.
--
Thomas Chemineau
Groupe LINAGORA - http://www.linagora.com
Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29