[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: acl confusion in proxy server config
> I have a proxy server ('ldap' backend) sitting in front of a master
> directory.
>
> The DNs on my master directory are UUIDs + ou + domain, e.g.
> myid=1234...89,dc=yada,dc=com.
>
> Each object has a (unique) username attrbute.
>
> Logging in on the proxy server involves mapping the username to the DN
>
> rwm-rewriteMap ldap uid2DN
> "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub"
> binddn="uid=..." credentials="xxx"
>
> rwm-rewriteContext bindDN
> rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=zzz"
> "${uid2DN(myusername=$1)}"
> ":@I"
>
> I would like anyone logging in as themselves to be able to read their
> own attributes. I'm having trouble doing this. 'Self' doesn't seem to
> work because of the mapping going on, e.g.
>
> access to dn.sub="ou=vpn"
> by self read
> by anonymous auth
> by * non
>
> Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry
> "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested
> Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by
> "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com",
> (read(=rscxd))
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous
> Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: *
> Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop)
> Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0)
> Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access
> denied by none(=0
>
> I think 'self' doesn't match because
> myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal
> myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com
> (is my thinking correct on this?)
>
> How do I allow a user to read their own attributes in this situation?
If I get you correctly, you bind as
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz (1)
and you want it rewritten as
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (2)
but then you would like slapd to recognize (2) as "self" of (1); one thing
you could probably do is use authz-regexp (see slapd.conf(5)) to authorize
(2) as (1) again (although I think this is getting too much wound up to
make any sense). At this point, the identity would appear as (1) for
"self", and as (2) for "realself". I haven't checked, so I can't
guarantee it works.
p.