[Date Prev][Date Next] [Chronological] [Thread] [Top]

ACLs being ignored with rwm/relay



Hi,

Sorry - can't figure this out - would welcome any ideas :)

The slapd.conf below contains an ACL:

access to attrs=userPassword,shadowLastChange
        by peername.path="/var/run/slapd/ldapi" write
        by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
        by anonymous auth
        by self write
        by * none

which works fine on the "real" DN dc=dighum,dc=kcl,dc=ac,dc=uk
- I can add extra attrs like homeDirectory and an unauth'd ldapsearch will not list them - eg:

ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=dighum,dc=kcl,dc=ac,dc=uk



However, an

ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk

lists the "virtual copy" tree AND includes the userPassword attr for each entry which of course, is rather bad.

Anyone see why the ACLs are not being applied to the results of the relay/rwm section?

Many thanks,

Tim


slapd.conf

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel        -1

# Where the dynamically loaded modules are stored
modulepath	/usr/lib/ldap
moduleload	back_hdb
moduleload	back_relay
moduleload	rwm

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1

allow bind_anon_cred bind_anon_dn update_anon

backend		hdb
#backend		<other>

overlay rwm
rwm-rewriteEngine on

# Virtual maps
#
# map ou=staff,dc=cch to dc=dighum
#
database                relay
suffix                  "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk"
relay                   "dc=dighum,dc=kcl,dc=ac,dc=uk"
overlay                 rwm
rwm-suffixmassage       "dc=dighum,dc=kcl,dc=ac,dc=uk"

#######################################################################
# Specific Directives for database dighum
#
database        hdb
suffix          dc=dighum,dc=kcl,dc=ac,dc=uk
rootdn          "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk"
rootpw          "CENSORED"
directory       "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index           objectClass eq
lastmod         on
checkpoint      512 30

#######################################################################
# ACLs
#
access to attrs=userPassword,shadowLastChange
        by peername.path="/var/run/slapd/ldapi" write
        by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
        by anonymous auth
        by self write
        by * none

access to dn.base="" by * read

access to *
        by peername.path="/var/run/slapd/ldapi" write
        by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
        by self write
        by * read


#######################################################################
# Specific Directives for database #2, of type 'other' (can be @BACKEND@ too):
#database        <other>
#suffix		"dc=debian,dc=org"
--
Tim Watts
Personal Blog: http://www.dionic.net/tim/