[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: acl confusion in proxy server config

To: "Ron Peterson" <rpeterso@mtholyoke.edu>
Subject: Re: acl confusion in proxy server config
From: masarati@aero.polimi.it
Date: Sun, 14 Aug 2011 00:28:13 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <20110811154159.GK19185@mtholyoke.edu>
References: <20110811154159.GK19185@mtholyoke.edu>
User-agent: SquirrelMail/1.4.15

> I have a proxy server ('ldap' backend) sitting in front of a master
> directory.
>
> The DNs on my master directory are UUIDs + ou + domain, e.g.
> myid=1234...89,dc=yada,dc=com.
>
> Each object has a (unique) username attrbute.
>
> Logging in on the proxy server involves mapping the username to the DN
>
> rwm-rewriteMap ldap uid2DN
> "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub"
> binddn="uid=..." credentials="xxx"
>
> rwm-rewriteContext  bindDN
> rwm-rewriteRule     "^uid=([a-z0-9_]{3,24}),ou=zzz"
>                     "${uid2DN(myusername=$1)}"
>                     ":@I"
>
> I would like anyone logging in as themselves to be able to read their
> own attributes.  I'm having trouble doing this.  'Self' doesn't seem to
> work because of the mapping going on, e.g.
>
> access to dn.sub="ou=vpn"
>        by self read
>        by anonymous auth
>        by * non
>
> Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry
> "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested
> Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by
> "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com",
> (read(=rscxd))
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: *
> Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop)
> Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0)
> Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access
> denied by none(=0
>
> I think 'self' doesn't match because
> myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal
> myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com
> (is my thinking correct on this?)
>
> How do I allow a user to read their own attributes in this situation?

If I get you correctly, you bind as

  myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz (1)

and you want it rewritten as

  myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (2)

but then you would like slapd to recognize (2) as "self" of (1); one thing
you could probably do is use authz-regexp (see slapd.conf(5)) to authorize
(2) as (1) again (although I think this is getting too much wound up to
make any sense).  At this point, the identity would appear as (1) for
"self", and as (2) for "realself".  I haven't checked, so I can't
guarantee it works.

p.

References:
- acl confusion in proxy server config
  - From: Ron Peterson <rpeterso@mtholyoke.edu>

Prev by Date: Re: Problem with overlay uniqe
Next by Date: Re: Assigning Groups to LDAP users
Index(es):
- Chronological
- Thread