[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Chain overlay and ACLs



> Noob question:
>
> I've set up chaining from my slave LDAP to the master.  It seemed
> everything was working fine, until I realize that ANY user can now make
> modifications in the LDAP DB if it is done from the slave.
>
> My ALCs allow full write access to the chain binddn.  If I don't set
> this, chaining fails.  But with it set, any valid, authenticated user
> can make DB changes (full write access).
>
> I am confused as to why this is happening.

Well, of course you're supposed to configure slapo-chain so that it uses
the binddn only to authorize as the original request identity.  Within the
wealth of info you provided you did not show how the chain overlay is
configured (unless I missed it), but in any case you should follow
indications here
<http://www.openldap.org/doc/admin24/overlays.html#Chaining>
(specifically, see the "chain-idassert-bind" stanza).

p.