Re: proxy ldap (back_ldap) with group ACL?

["brent s." <bts@square-r00t.net>]

On 2/7/20 19:42, brent s. wrote:
> {2}to dn.exact="ou=groupname,dc=domain,dc=com" attrs=children
> (...)
>                by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage
>                by * none
> 
> 
> I get the error:
> 
> 
> 
> Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry
> "ou=groupname,dc=domain,dc=com", attr "entry" requested
> Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by
> "cn=username,dc=domain,dc=net", (=0)
> Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat:
> cn=groupadmins,ou=groups,dc=domain,dc=net
> Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn
> 0x7f7700009ef0 fetched refcnt=1.
> Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz
> returned 0, misconfigured URI?
> 
> (it is a given that cn=username,dc=domain,dc=net is indeed a member
> ("member" attribute) of the groupOfNames object
> cn=GroupAdmins,dc=domain,dc=net and additionally, the
> cn=username,dc=domain,dc=net object has the "memberOf" attribute
> "cn=GroupAdmins,dc=domain,dc=net")


Sorry, borked the scrubbing.

Correction: the above ACL line and references to it should be:

by group.exact="cn=GroupAdmins,ou=Groups,dc=domain,dc=net" manage

(as reflected in the log entries), not:

by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage


-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

Attachment: signature.asc
Description: OpenPGP digital signature