Re: access control with pbind overlay

[Ferenc Wagner <wferi@niif.hu>]

Dieter Klünter <dieter@dkluenter.de> writes:

> Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner <wferi@niif.hu>:
>
>> Ferenc Wagner <wferi@niif.hu> writes:
>> 
>>> I've got a partial syncrepl replica, which (among others) misses the
>>> userPassword attributes of the provider database.  I added a pbind
>>> overlay to the replica, which forwards binds to the provider, thus
>>> it became possible to do simple binds against the replica.  But
>>> access control on the replica does not honor these binds properly:
>>> "by users" works, but "by self" does not.  Before I waste too much
>>> time debugging: is it supposed to work at all?  I tested this under
>>> 2.4.31 with:
>>>
>>> dn: olcDatabase={1}mdb,cn=config
>>> olcAccess: to * by dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth read by self read by * none
>>> olcSyncrepl: rid=1 [...]
>>>
>>> The external auth part works, and if I replace self with users, that
>>> works as well (but is not what I want).  Do I expect too much?
>> 
>> Would anybody please provide some guidance on this problem?
>
> define an authorization regular expression in order to map sasl auth
> string to a DN.

The SASL auth part works as is, no problem with that, I included it only
to keep the olcAccess attribute verbatim.  But I'd like to get the "read
by self" part work with simple binds.  But these binds must be done
through the pbind overlay, as userPassword in not replicated.  Pbind
works to some extent, as binding only succeeds with the correct
password, but the "by self" selector does not fire, as if the remote and
local DN were treated as different.  Or is this what you imply, that I
still need a mapping in this case?
-- 
Thanks,
Feri.