[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Externalize access to a partial replica

To: openldap-software@openldap.org
Subject: Re: Externalize access to a partial replica
From: Harry Jede <walk2sun@arcor.de>
Date: Thu, 9 Apr 2009 23:50:47 +0200
Content-disposition: inline
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=arcor.de; s=mail-in; t=1239313825; bh=cVdZMtGtd7P07H0LxicPB+18Gb9CujuNh95nHSAVq/U=; h=From:To:Subject:Date:References:In-Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Message-Id; b=omOeknvyDT13HMH3FTcw9+aRV+uffov4V0SBAXRBHELon63BZyr/FvnDpFyS9eCic YNHfUOb9rovb/zhMXTCFwHsSb1NeZdvfcARkFnCoiwhEKBu5Eflm/Oht10Lc8GdmVh bmHxn/5L+7WuQrttB5dNU28s0+d32q7njmka1jAA=
In-reply-to: <49DDCC9F.8030905@it-sudparis.eu>
References: <49DDCC9F.8030905@it-sudparis.eu>
User-agent: KMail/1.9.5

Am Donnerstag, 9. April 2009 12:23 schrieb Jehan PROCACCIA:
> hello
>
> I need to give acces to a partial replica of my ldap directory
> this replica only contain "white pages" attributes -> no userpassword
> !
>
> syncrepl        rid=001
> filter="(|(objectClass=organizationalPerson)
> attrs="uid,cn,sn,ou,departmentNumber,GivenName
>
> I created a bind user in the master ldap to give external access to
> that replica
> but as I don't replicate userpassword, then that bind user doesn't
> have usperpasswd in the replicate and then cannot authenticate on it
> (egg and chiken pb !)
>
> then how can I have that partial replica whitout userpassword
> attributes, but still allow someone (at least one dn, but not the
> rootdn in slapd.conf that I want to keep secret)
> to bind to that replica !?
>
> I tested a binddn out of ldap database with SASL (digest-md5), but
> apparently (ldapsearch -Y) it requires  a userpassword attribute for
> that binddn in the ldap database :-(
> I though that having a password only in /etc/salsdb2 would be enough
> ... to bad ;-(
> I also tested with a translucent in front of my replica, in that
> translucent I added the userpassword for the binddn so that he can
> bind , but the search addresed to that translucent that finally goes
> to my partial replica ends up in an anonymous bind,
> not as that binddn I expected :-( (so ACL cannot be match )
>
> Please let me know how  to  let a user+password (binddn having
> correponding ACL) search my replica on a replica not containing
> userpassword attributes (or a least one for that binddn) . 

> would it 
> be possible to replicate userpassowrd attribute from the master only
> for that binddn ?
Sounds simpel, but I haven't tried it :-(

Use two databases in your "White pages server"

database 1 contains only DNs with userpassword
database 2 your white pages

create for both databases separate syncrepl stanzas with different RIDs.

use the defaultsearch statement in slapd.conf to direct all searches 
without a searchbase to database 2

put ACLs for database 2 so that the "who clause" in ACL write/manage 
statements point to entries in database 1

do not allow any anonymous access to database 1

force database 1 to only accept encrypted access


> Thanks.

-- 

Gruss
	Harry Jede

References:
- Externalize access to a partial replica
  - From: Jehan PROCACCIA <Jehan.Procaccia@it-sudparis.eu>

Prev by Date: Re: OpenLDAP Password Encryption
Next by Date: ACL problem
Index(es):
- Chronological
- Thread