[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
proxy ldap (back_ldap) with group ACL?
- To: openldap-technical@openldap.org
- Subject: proxy ldap (back_ldap) with group ACL?
- From: "brent s." <bts@square-r00t.net>
- Date: Fri, 7 Feb 2020 19:42:40 -0500
- Autocrypt: addr=bts@square-r00t.net; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtDtCcmVudCBTLiAo aHR0cDovL3d3dy5zcXVhcmUtcjAwdC5uZXQpIDxidHNAc3F1YXJlLXIwMHQubmV0PokCOQQT AQIAIwUCUvO+HAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEIwATC+TSB9rJBQQ AIRtFpnqNdWatTM2UZ6arcxIGx9kyAwqkFgq0y3ekKs5NdF3Qqa5Xh+NBlVOj4KiNtP6BbpI h368NlO/5HLJ75CxJpmUeT+mSBdWY5FFUD8Pob+9NZGgydpemZyA96QVHpeydkYDRGPrt94H fuNbmdGZCu8dR1Vex9EgDijPaBljwxhEAFLjwwkJCQWMai2YLcajqeJJLblGGwhuyIIw1ia2 lvLuqU9QK+80tNAHsm84v0LlKlfw0KD+EUIyh2bO4p4UGoQ1jPmXLc45ZszL3RxUANGnq3d/ 1p3vTxJn54G5MMLs7VLzz2+dmpxOPCrXjJi5dZmRXHRA2EWLQCCb3AKP2Mh+c7PIn7k+0kEd ZJu/V1CZ5dmHZMDkrJRWU+6AEple3KDBceO12a1aDtrHm/8pX+Kz40QBv5yP4jdZiGY/p1UK +69IYIpxqq8er+FNTSzqPaY2PHKjotnorUjWX2fDU/sVypLFAwiMyS7bRlaG2/WB2J7CQ06F Un4iyJMrPyYHohic87kQ/Qk6BRbumOSC6P+46HICJH6/V/w1H3LWJrGGIaUdGmee0LK8vxyd FsTbAygYFyuu3noUC4VsEQqimdvPL/bDP7L1EusukQ5Lv+ecxj+d6qDKpdObNADNHUMsc9If YZY62dHm4FEpECHTEKRWnBxgX4qtQZzxTmABuQINBFKm0mgBEADCAf1KU63vjRs5L05jusJ3 0LsyShBFp19qf/nkBWYA4Tm78Ib2a+wtyPcD9yZwD9y6Caq55qe/KhNr+7J5UhtYuuoanI/A sNhJAUSxbLHr2triOQet0S61dLU1zfOp5h4cPKidhgbvOA3cOyrWKAkW6vdNnlrIFsUSVcAC voqduLVVScWkdt55DhcFPrLmEQ4YjPRi1Y9sGqJoCSutHYcSzi2UkcCdEtQNqbtehhMfFEhK M+1jQyYMfDyT0s8h+VO4fYV4aUxL0vJzleRu2IZLCgUehAo5pXgknoQWqLVUwIV036IfX8gr rDAcIsywaEvBpj1J751Jbyc8gM7tSsZxc6cBJPWQYC6lscwv4uD2Sq6ahu5+SaoBJdIIPu35 +UncKteE64PnYwxmuXPJ+YVxMrM1k5GudwIVQp/MqtNc2DWaDAxumnWJLv4N5+ZgcSmLkqDJ M7j0YIoabK4Tf9ERmJyUQ8OXKQI8sFoU3xVhmgM+pgzYQlfXWqKgKBY5iLfTwBXk6x49F2V1 uwud7eEKK/TXOYKIeY5cO77+fAqXRdHTxeoy4Qy9gGLaZasHT0K/PoY/FshVvEW4/zjo/8/y XQ2usQqn74dLnRi1WhQ8EF2dQ+LKo8AAYanQqaWG/U0qtE80di8mQ55/yWYnndkNi8qT27KB mt6nf/8OVujXMwARAQABiQIfBBgBAgAJBQJSptJoAhsMAAoJEIwATC+TSB9rQgwQAIjB0CCl wp5t1znAbgKyfJdGKVu6vSlhdWLZiviYPiahfL00e6rydXY6VSVcwmy+920q8NuGy4x4XAE7 gbEMWD7trErpXDwfJ64t5Iv61olqTbY8pCous+eqPrw5m1R/FMgPvsx0CGjse7cip4eMNRdo uOtd9sjByxxQHUJAJQCUTCEOhNACivbeta/jSdCk/INYfTzHCZD1pBpkI0/XmoS5TtR95Lmt MQmduuAhVJKWKO7dCGPQbkWn866kaq2AScxHg0ndnTc/Lvo0xfEZR8monj3ExPUdQONZitrw woFgG5l1vHq7lc/gL83V0ja+nq3HGpkZnkyMieVqRnqAP2Xkw1Ui81Nv4vzytsiP/A08Fp7d IiwvvKr28/hNu//IucecNz6LFI18x0LoAWTtMawarYva1leru98wBNOxCmhn05uD8tx0X8rJ hYo3E9MaRHropVzO9k4sT++Xp6lzeOaLsK2qQXIwDN6MZ/nlQGoLczFI14xyQT+YOTxwkU7s 2pDc7xbtWDVfTnnPEjvoaEALlulsuTXwjdwYPihz7v1Oi8PU3GxbQhjrMDMfVNk4bo+xXlC5 YubY/5C2oTjjDtDfvprB6yTTVmtnpFPRidTQwjhh9M2BeBeXca3Tcbjhs8+mtPuaNQwWllBD dMADHHpbiTZ6r9Kp4gBphg2PRx1D
- Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=square-r00t.net; s=default; t=1581122570; bh=HPCO5WFW+sLbSIFzDBCwrBj/WIBWqkJCPjOVIZHvArw=; h=To:From:Subject:Date; b=oegbcAXLuGU1HKclpAcHWNpHQCteZ534r1bHHv0b0IwdAQiA/VEpU+gt843qIikjR jxeJ259EuoBM94qilxq5+L6tqWTfqPoIR+2GD31+qDK3kuEKC3/DMN3YRUo4tYdti0 ZsQ3qzFV34qIABKkpfqktQfvXBvB9WZyxLQQGj+w=
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2
Hey, all!
First, a BIG thank you to both JoBbZ and tarpman in #openldap, they've
got me this far (p.s. JoBbZ- switched over to the symas packages for my
test env, replacement was more or less seamless. need to schedule some
downtime for prod, but thanks for passing that along!)
However, I'm not at a standstill.
I'm using the OLC config (...I guess that's like saying "PIN number").
I have two servers, foo.domain.tld and bar.domain.tld.
foo.domain.tld has DSA of dc=domain,dc=com and bar.domain.tld has a DSA
of dc=domain,dc=net.
I can successfully auth as e.g. cn=username,dc=domain,dc=net to
foo.domain.tld using the following configuration (at
olcDatabase={3}ldap,cn=config):
dn: olcDatabase={3}ldap,cn=config
objectClass: olcLDAPConfig
objectClass: olcDatabaseConfig
olcDatabase: {3}ldap
olcDbIDAssertAuthzFrom: {0}"dn:*"
olcDbIDAssertBind: mode=self
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: start
olcDbURI: ldap://bar.domain.tld
olcReadOnly: TRUE
olcSuffix: dc=domain,dc=net
However, when I attempt to e.g. implement the following ACL on
foo.domain.tld:
{2}to dn.exact="ou=groupname,dc=domain,dc=com" attrs=children
(...)
by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage
by * none
I get the error:
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry
"ou=groupname,dc=domain,dc=com", attr "entry" requested
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by
"cn=username,dc=domain,dc=net", (=0)
Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat:
cn=groupadmins,ou=groups,dc=domain,dc=net
Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn
0x7f7700009ef0 fetched refcnt=1.
Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz
returned 0, misconfigured URI?
(it is a given that cn=username,dc=domain,dc=net is indeed a member
("member" attribute) of the groupOfNames object
cn=GroupAdmins,dc=domain,dc=net and additionally, the
cn=username,dc=domain,dc=net object has the "memberOf" attribute
"cn=GroupAdmins,dc=domain,dc=net")
I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I
need to reference the group in the ACL explicitly with the LDAP URI
prefixed or something?
--
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info
Attachment:
signature.asc
Description: OpenPGP digital signature