[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl confusion in proxy server config



> I have a proxy server ('ldap' backend) sitting in front of a master
> directory.
>
> The DNs on my master directory are UUIDs + ou + domain, e.g.
> myid=1234...89,dc=yada,dc=com.
>
> Each object has a (unique) username attrbute.
>
> Logging in on the proxy server involves mapping the username to the DN
>
> rwm-rewriteMap ldap uid2DN
> "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub"
> binddn="uid=..." credentials="xxx"
>
> rwm-rewriteContext  bindDN
> rwm-rewriteRule     "^uid=([a-z0-9_]{3,24}),ou=zzz"
>                     "${uid2DN(myusername=$1)}"
>                     ":@I"
>
> I would like anyone logging in as themselves to be able to read their
> own attributes.  I'm having trouble doing this.  'Self' doesn't seem to
> work because of the mapping going on, e.g.
>
> access to dn.sub="ou=vpn"
>        by self read
>        by anonymous auth
>        by * non
>
> Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry
> "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested
> Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by
> "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com",
> (read(=rscxd))
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: *
> Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop)
> Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0)
> Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access
> denied by none(=0
>
> I think 'self' doesn't match because
> myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal
> myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com
> (is my thinking correct on this?)
>
> How do I allow a user to read their own attributes in this situation?

If I get you correctly, you bind as

  myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz (1)

and you want it rewritten as

  myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (2)

but then you would like slapd to recognize (2) as "self" of (1); one thing
you could probably do is use authz-regexp (see slapd.conf(5)) to authorize
(2) as (1) again (although I think this is getting too much wound up to
make any sense).  At this point, the identity would appear as (1) for
"self", and as (2) for "realself".  I haven't checked, so I can't
guarantee it works.

p.