[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs being ignored with rwm/relay
Hi,
Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk
-b dc=cch,dc=kcl,dc=ac,dc=uk
does not return userPassword attributes (the -D is convenience, no auth
is performed).
However,
ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b
dc=cch,dc=kcl,dc=ac,dc=uk
Does return userPassword - which is what I want. The UNIX domain socket
is protected under a root directory mode 700 so only root can connect
this way - ie, local root use has full unauthenticated access to ldap
which is what I want, so that scripts may easily be run to maintain the
LDAP database.
Thanks again for your help :)
Cheers,
Tim
#######################################################################
# Global Directives:
# Features to permit
#allow bind_v2
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel -1
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload back_relay
moduleload rwm
# The maximum number of entries that is returned for a search operation
sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1
allow bind_anon_cred bind_anon_dn update_anon
backend hdb
#backend <other>
overlay rwm
rwm-rewriteEngine on
#######################################################################
# ACLs
#
access to attrs=userPassword,shadowLastChange
by peername.path="/var/run/slapd/ldapi" write
by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
by anonymous auth
by self write
by * none
access to dn.base="" by * read
access to *
by peername.path="/var/run/slapd/ldapi" write
by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write
by self write
by * read
#######################################################################
# Virtual maps
#
# map ou=staff,dc=cch to dc=dighum
#
database relay
suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk"
relay "dc=dighum,dc=kcl,dc=ac,dc=uk"
overlay rwm
rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map ou=external,dc=cch to dc=dighum
#
#database relay
#suffix "ou=external,dc=cch,dc=kcl,dc=ac,dc=uk"
#relay "dc=dighum,dc=kcl,dc=ac,dc=uk"
#overlay rwm
#rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map ou=student,dc=cch to dc=dighum
#
#database relay
#suffix "ou=student,dc=cch,dc=kcl,dc=ac,dc=uk"
#relay "dc=dighum,dc=kcl,dc=ac,dc=uk"
#overlay rwm
#rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map ou=project,dc=cch to dc=dighum
#
#database relay
#suffix "ou=project,dc=cch,dc=kcl,dc=ac,dc=uk"
#relay "dc=dighum,dc=kcl,dc=ac,dc=uk"
#overlay rwm
#rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
#
# map dc=cch to dc=dighum
#
database relay
suffix "dc=cch,dc=kcl,dc=ac,dc=uk"
relay "dc=dighum,dc=kcl,dc=ac,dc=uk"
overlay rwm
rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
#######################################################################
# Specific Directives for database dighum
#
database hdb
suffix dc=dighum,dc=kcl,dc=ac,dc=uk
rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk"
rootpw "e1NTSEF9TnkzOUx6aGZCRnQvOUIwQzZOeFIvcGtVcXRQWkZObXI="
directory "/var/lib/ldap"
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass eq
lastmod on
checkpoint 512 30
#######################################################################
# Specific Directives for database #2, of type 'other' (can be @BACKEND@
too):
#database <other>
#suffix "dc=debian,dc=org"
--
Tim Watts
Personal Blog: http://www.dionic.net/tim/