[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACLs being ignored with rwm/relay
- To: openldap-technical@openldap.org
- Subject: ACLs being ignored with rwm/relay
- From: Tim Watts <tw@dionic.net>
- Date: Wed, 20 Jun 2012 18:08:08 +0100
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1
Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
access to attrs=userPassword,shadowLastChange
by peername.path="/var/run/slapd/ldapi" write
by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
by anonymous auth
by self write
by * none
which works fine on the "real" DN dc=dighum,dc=kcl,dc=ac,dc=uk
- I can add extra attrs like homeDirectory and an unauth'd ldapsearch
will not list them - eg:
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk
-b dc=dighum,dc=kcl,dc=ac,dc=uk
However, an
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk
-b dc=cch,dc=kcl,dc=ac,dc=uk
lists the "virtual copy" tree AND includes the userPassword attr for
each entry which of course, is rather bad.
Anyone see why the ACLs are not being applied to the results of the
relay/rwm section?
Many thanks,
Tim
slapd.conf
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel -1
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_relay
moduleload rwm
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
allow bind_anon_cred bind_anon_dn update_anon
backend hdb
#backend <other>
overlay rwm
rwm-rewriteEngine on
# Virtual maps
#
# map ou=staff,dc=cch to dc=dighum
#
database relay
suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk"
relay "dc=dighum,dc=kcl,dc=ac,dc=uk"
overlay rwm
rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
#######################################################################
# Specific Directives for database dighum
#
database hdb
suffix dc=dighum,dc=kcl,dc=ac,dc=uk
rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk"
rootpw "CENSORED"
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
#######################################################################
# ACLs
#
access to attrs=userPassword,shadowLastChange
by peername.path="/var/run/slapd/ldapi" write
by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by peername.path="/var/run/slapd/ldapi" write
by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
by self write
by * read
#######################################################################
# Specific Directives for database #2, of type 'other' (can be @BACKEND@
too):
#database <other>
#suffix "dc=debian,dc=org"
--
Tim Watts
Personal Blog: http://www.dionic.net/tim/