[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: access control with pbind overlay

To: openldap-technical@openldap.org
Subject: Re: access control with pbind overlay
From: Ferenc Wagner <wferi@niif.hu>
Date: Mon, 29 Sep 2014 14:40:11 +0200
In-reply-to: <20140929122128.6371e4b3@pink.avci.de> ("Dieter Klünter"'s message of "Mon, 29 Sep 2014 12:21:28 +0200")
References: <87siji1zre.fsf@lant.ki.iif.hu> <87zjdjs880.fsf@lant.ki.iif.hu> <20140929094926.35a42c9d@pink.avci.de> <87bnpylqxm.fsf@lant.ki.iif.hu> <20140929122128.6371e4b3@pink.avci.de>
User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)

Dieter Klünter <dieter@dkluenter.de> writes:

> Am Mon, 29 Sep 2014 11:24:53 +0200 schrieb Ferenc Wagner <wferi@niif.hu>:
>
>> Dieter Klünter <dieter@dkluenter.de> writes:
>> 
>>> Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner <wferi@niif.hu>:
>>>
>>>> Ferenc Wagner <wferi@niif.hu> writes:
>>>> 
>>>>> I've got a partial syncrepl replica, which (among others) misses
>>>>> the userPassword attributes of the provider database.  I added a
>>>>> pbind overlay to the replica, which forwards binds to the
>>>>> provider, thus it became possible to do simple binds against the
>>>>> replica.  But access control on the replica does not honor these
>>>>> binds properly: "by users" works, but "by self" does not.  Before
>>>>> I waste too much time debugging: is it supposed to work at all?
>>>>> I tested this under 2.4.31 with:
>>>>>
>>>>> dn: olcDatabase={1}mdb,cn=config
>>>>> olcAccess: to * by
>>>>> dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth
>>>>> read by self read by * none olcSyncrepl: rid=1 [...]
>>>>>
>>>>> The external auth part works, and if I replace self with users,
>>>>> that works as well (but is not what I want).  Do I expect too
>>>>> much?
>>>> 
>>>> Would anybody please provide some guidance on this problem?
>>>
>>> define an authorization regular expression in order to map sasl auth
>>> string to a DN.
>> 
>> The SASL auth part works as is, no problem with that, I included it
>> only to keep the olcAccess attribute verbatim.  But I'd like to get
>> the "read by self" part work with simple binds.  But these binds must
>> be done through the pbind overlay, as userPassword in not
>> replicated.  Pbind works to some extent, as binding only succeeds
>> with the correct password, but the "by self" selector does not fire,
>> as if the remote and local DN were treated as different.  Or is this
>> what you imply, that I still need a mapping in this case?
>
> Define a DN in the access rules, as 'self' must match a DN.

I must be missing something, then...  Isn't "to *" enough?  It certainly
works on the master, does pbind have extra requirements?
-- 
Thanks,
Feri.

References:
- access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: access control with pbind overlay
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: access control with pbind overlay
  - From: Ferenc Wagner <wferi@niif.hu>
- Re: access control with pbind overlay
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: access control with pbind overlay
Next by Date: Re: Ldap performance : help needed
Index(es):
- Chronological
- Thread