[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Acl on a replicated tree: unable to bind as user
- To: openldap-technical@openldap.org
- Subject: Acl on a replicated tree: unable to bind as user
- From: Giuseppe Civitella <gcivitella@enter.eu>
- Date: Tue, 27 Feb 2018 09:42:12 +0100
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/simple; d=enter.eu; s=201710; t=1519720933; bh=efzp4UwqgtivN7qHqr55mzRRl7807MrskwMopKykCwU=; h=To:From:Subject:Date:From; b=bsgMWVrWli0nMnsAsAhfIJ1IOM0glIOgK4TptQm5PQnwoTtPcwqx+dOHgUzm5tc9y oUkyBu5p8TRfXiWCjLuITpT8z77I55LPW+G5aZUjxmpWkGTTKW7q7cJ14PVJiuYTRJ ig/mG2P0w0U124Ss8vQi04AutU/T6E4g5uPjKUHg=
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
Hi all,
I've got a master / slave replica setup. I did use this tutorial to set
up the replica:
https://wiki.debian.org/LDAP/OpenLDAPSetup
My ldap tree is something like: Root -> o=(first level local branch),
o=(first level replicated branch).
The local branch is just a cut and paste of the replicated branch.
On the slave server I can use the replicated branch to authenticate
against a Radius server.
On the master server I realized I cannot let web users authenticate
against the replicated branch.
If I try to bind as a user from the replicated branch, on both the
master and the slave, I get:
ldapwhoami -H ldap://localhost -D
"uid=gcivitella,ou=users,o=isiline,dc=who,dc=is" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
On the master, on the local branch, I get:
ldapwhoami -H ldap://localhost -D
"cn=gcivitella,ou=users,o=area51,dc=who,dc=is" -W
Enter LDAP Password:
dn:cn=gcivitella,ou=users,o=area51,dc=who,dc=is
I did try to configure the acl on the server to disallow anonymous bind.
And, once found this problem, I did try to create a bind user
(uid=read_only) able to read the replicated branch, userPassword attrs
included.
Unfortunately this did not solve the problem.
My acl on the master are:
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=who,dc=is
olcAccess: {0}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=read_only,ou
=binds,dc=who,dc=is" read
olcAccess: {1}to dn.subtree="o=isiline,dc=who,dc=is" by dn="uid=isi_replica,
ou=binds,dc=who,dc=is" read
olcAccess: {2}to attrs=userPassword by self write by anonymous auth by * non
e
olcAccess: {3}to attrs=shadowLastChange by self write by * read
olcAccess: {4}to * by users read
I'm quite new to this kind of setup, is this something to be expected?
Is there a way to bind directly on the replicated branch?
Regards,
Giuseppe