[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap proxy acl filter problem

To: Howard Chu <hyc@symas.com>
Subject: Re: ldap proxy acl filter problem
From: Ron Peterson <rpeterso@mtholyoke.edu>
Date: Thu, 15 Sep 2011 08:22:54 -0400
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <4E7114A0.8090505@symas.com>
Organization: Mount Holyoke College
References: <20110914203356.GI24824@mtholyoke.edu> <4E7114A0.8090505@symas.com>
User-agent: Mutt/1.5.20 (2009-06-14)

2011-09-14_16:54:56-0400 Howard Chu <hyc@symas.com>:
> >I've turned my logging way up, and the hiccup seems to be that the DN
> >I've authenticated as
> >(uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read
> >access to the attributes in the filter expression.  But how do I give
> >that account read access to those attributes, without then exposing the
> >objects that I'm trying to hide with the filter expression?
> 
> Give it auth access, not read access.

Did that, but it seems to want read access.  ?

Sep 15 08:13:15 mid slapd[5050]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email", attr "yGlobalPermission" requested
Sep 15 08:13:15 mid slapd[5050]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) 
Sep 15 08:13:15 mid slapd[5050]: <= check a_dn_pat: uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu
Sep 15 08:13:15 mid slapd[5050]: <= acl_mask: [1] applying auth(=xd) (stop)
Sep 15 08:13:15 mid slapd[5050]: <= acl_mask: [1] mask: auth(=xd)
Sep 15 08:13:15 mid slapd[5050]: => slap_access_allowed: read access denied by auth(=xd)

Carefully watching logs for both master directory and proxy server, the
master directory is passing the information required.  It's the ACL's on
the proxy that are tripping me up.

search like:

ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)'

ldaprc like:

BASE ou=email
BINDDN uid=email,ou=admin
URI ldap://proxy.mtholyoke.edu
SIZELIMIT   40000
TLS_CACERT /local/etc/cert/ca/cacert.pem

Full config:

database            ldap
suffix              "ou=email"
uri                 "ldapi://%2Fvar%2Frun%2Fslapd%2Fmastertest%2Fldapi"

idassert-bind bindmethod=simple binddn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized" mode=self

chase-referrals     yes
overlay             rwm
rwm-rewriteEngine   on

rwm-rewriteMap ldap uid2emailDN "ldaps://dirt-master.mtholyoke.edu/ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu?dn?sub" binddn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized"

rwm-rewriteMap ldap yid2emailDN "ldaps://dirt-master.mtholyoke.edu/ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu?dn?sub" binddn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized"

# yUsername is rewritten to uid, so that's what we bind with
rwm-rewriteContext  bindDN
rwm-rewriteRule     "^(yDirectoryID=.+),ou=email"
                    "${yid2emailDN($1)}"
                    ":@I"
rwm-rewriteRule     "^uid=([a-z0-9_]{3,24}),ou=email"
                    "${uid2emailDN(yUsername=$1)}"
                    ":@I"

rwm-suffixmassage   "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu"
rwm-map objectClass   inetOrgPerson yDummyA
rwm-map objectClass   yAccount *
rwm-map objectClass   *
rwm-map attribute     givenName yNameFirstLegal
rwm-map attribute     sn yNameLastLegal
rwm-map attribute     uid yUsername
rwm-map attribute     mail yPrimaryEmail
# keep these attribute names the same
rwm-map attribute     yDirectoryID *
rwm-map attribute     yInstitution *
rwm-map attribute     yGlobalPermission *
rwm-map attribute     yDefaultApplicationPermission *
rwm-map attribute     yApplicationPermission *
rwm-map attribute     ySHA1Password *
rwm-map attribute     *

access to dn.sub="ou=email"
       by dn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by * break

access to dn.sub="ou=email" attrs="entry"
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by * break

access to dn.sub="ou=email"
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" auth
       by * break

access to dn.sub="ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))"
       by anonymous auth
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by * break

access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))"
       by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read
       by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read
       by * none       


-- 
Ron Peterson
Network & Systems Administrator
Mount Holyoke College
http://www.mtholyoke.edu/~rpeterso

Follow-Ups:
- Re: ldap proxy acl filter problem
  - From: Ron Peterson <rpeterso@mtholyoke.edu>

References:
- ldap proxy acl filter problem
  - From: Ron Peterson <rpeterso@mtholyoke.edu>
- Re: ldap proxy acl filter problem
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: OpenLDAP / PAM: No Username
Next by Date: Re: OpenLDAP / PAM: No Username
Index(es):
- Chronological
- Thread