[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: proxy ldap (back_ldap) with group ACL? [SOLVED]

To: openldap-technical@openldap.org
Subject: Re: proxy ldap (back_ldap) with group ACL? [SOLVED]
From: "brent s." <bts@square-r00t.net>
Date: Thu, 13 Feb 2020 09:34:44 -0500
Autocrypt: addr=bts@square-r00t.net; prefer-encrypt=mutual; keydata= mQINBFKm0mgBEADSI5oeyqRYZ8YWxPbux4CeqaMNh4etuyJmglDRCQB9t1XlvhMDLZWQNqm+ ORBN3YGISUu+X55p10lK/O1w/85zXkAV7Qe6fkvUzSx0tbPWLu4rn4zH9JgTExElhFRv143H W/EKehejEetkNz6JSwGUXNiF5qh1GbKLOmShbmCSKXLcmw05Qj4ELmhkH9OWXpeM0EHmWIEK VSeoIim/g1MYYxKOb1wY3DEubY9zn3lfz9xfLq/xlFMepDyNAEer/qZDSHQqnymdqXlt6L9e mfd4snHLiDfUgG9JOPeMDWeT6XWJDtKKCcZ3JDSMEGgZsFYpwJxJEwPxnfhHJmH8ENxi/8Cu 0fLFvzgAP+VK/Z1egBI7l241fDDREg3e+NWFhUM5bjwBmqk1z8nkRdru+QSMtPl6Erkd+Tbp 7lGGpQwCbI6esdBPkx/nV8+fIPEcsR2G5jG7O9U4J6q3B1nRFrR863SJHudIWV/l59ZvA8kI knDYNOixPLmnoRrO7LNIWe9jpnkZdg34Aa5AjAjGEKwY5EAzqkKuPEMVGqg/36YUcnqYS98W iVgCpaGg6KJqCMVXBfugxd79rtkyT4Oeju/z/Yp2xxXm3Pqcocb1CxbiEYDLJNT7/hyIJ072 4asMz2DTDMIMciP93hPraEtINknPlerNX2XqK03D+gyBGqAL7QARAQABtDtCcmVudCBTLiAo aHR0cDovL3d3dy5zcXVhcmUtcjAwdC5uZXQpIDxidHNAc3F1YXJlLXIwMHQubmV0PokCOQQT AQIAIwUCUvO+HAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEIwATC+TSB9rJBQQ AIRtFpnqNdWatTM2UZ6arcxIGx9kyAwqkFgq0y3ekKs5NdF3Qqa5Xh+NBlVOj4KiNtP6BbpI h368NlO/5HLJ75CxJpmUeT+mSBdWY5FFUD8Pob+9NZGgydpemZyA96QVHpeydkYDRGPrt94H fuNbmdGZCu8dR1Vex9EgDijPaBljwxhEAFLjwwkJCQWMai2YLcajqeJJLblGGwhuyIIw1ia2 lvLuqU9QK+80tNAHsm84v0LlKlfw0KD+EUIyh2bO4p4UGoQ1jPmXLc45ZszL3RxUANGnq3d/ 1p3vTxJn54G5MMLs7VLzz2+dmpxOPCrXjJi5dZmRXHRA2EWLQCCb3AKP2Mh+c7PIn7k+0kEd ZJu/V1CZ5dmHZMDkrJRWU+6AEple3KDBceO12a1aDtrHm/8pX+Kz40QBv5yP4jdZiGY/p1UK +69IYIpxqq8er+FNTSzqPaY2PHKjotnorUjWX2fDU/sVypLFAwiMyS7bRlaG2/WB2J7CQ06F Un4iyJMrPyYHohic87kQ/Qk6BRbumOSC6P+46HICJH6/V/w1H3LWJrGGIaUdGmee0LK8vxyd FsTbAygYFyuu3noUC4VsEQqimdvPL/bDP7L1EusukQ5Lv+ecxj+d6qDKpdObNADNHUMsc9If YZY62dHm4FEpECHTEKRWnBxgX4qtQZzxTmABuQINBFKm0mgBEADCAf1KU63vjRs5L05jusJ3 0LsyShBFp19qf/nkBWYA4Tm78Ib2a+wtyPcD9yZwD9y6Caq55qe/KhNr+7J5UhtYuuoanI/A sNhJAUSxbLHr2triOQet0S61dLU1zfOp5h4cPKidhgbvOA3cOyrWKAkW6vdNnlrIFsUSVcAC voqduLVVScWkdt55DhcFPrLmEQ4YjPRi1Y9sGqJoCSutHYcSzi2UkcCdEtQNqbtehhMfFEhK M+1jQyYMfDyT0s8h+VO4fYV4aUxL0vJzleRu2IZLCgUehAo5pXgknoQWqLVUwIV036IfX8gr rDAcIsywaEvBpj1J751Jbyc8gM7tSsZxc6cBJPWQYC6lscwv4uD2Sq6ahu5+SaoBJdIIPu35 +UncKteE64PnYwxmuXPJ+YVxMrM1k5GudwIVQp/MqtNc2DWaDAxumnWJLv4N5+ZgcSmLkqDJ M7j0YIoabK4Tf9ERmJyUQ8OXKQI8sFoU3xVhmgM+pgzYQlfXWqKgKBY5iLfTwBXk6x49F2V1 uwud7eEKK/TXOYKIeY5cO77+fAqXRdHTxeoy4Qy9gGLaZasHT0K/PoY/FshVvEW4/zjo/8/y XQ2usQqn74dLnRi1WhQ8EF2dQ+LKo8AAYanQqaWG/U0qtE80di8mQ55/yWYnndkNi8qT27KB mt6nf/8OVujXMwARAQABiQIfBBgBAgAJBQJSptJoAhsMAAoJEIwATC+TSB9rQgwQAIjB0CCl wp5t1znAbgKyfJdGKVu6vSlhdWLZiviYPiahfL00e6rydXY6VSVcwmy+920q8NuGy4x4XAE7 gbEMWD7trErpXDwfJ64t5Iv61olqTbY8pCous+eqPrw5m1R/FMgPvsx0CGjse7cip4eMNRdo uOtd9sjByxxQHUJAJQCUTCEOhNACivbeta/jSdCk/INYfTzHCZD1pBpkI0/XmoS5TtR95Lmt MQmduuAhVJKWKO7dCGPQbkWn866kaq2AScxHg0ndnTc/Lvo0xfEZR8monj3ExPUdQONZitrw woFgG5l1vHq7lc/gL83V0ja+nq3HGpkZnkyMieVqRnqAP2Xkw1Ui81Nv4vzytsiP/A08Fp7d IiwvvKr28/hNu//IucecNz6LFI18x0LoAWTtMawarYva1leru98wBNOxCmhn05uD8tx0X8rJ hYo3E9MaRHropVzO9k4sT++Xp6lzeOaLsK2qQXIwDN6MZ/nlQGoLczFI14xyQT+YOTxwkU7s 2pDc7xbtWDVfTnnPEjvoaEALlulsuTXwjdwYPihz7v1Oi8PU3GxbQhjrMDMfVNk4bo+xXlC5 YubY/5C2oTjjDtDfvprB6yTTVmtnpFPRidTQwjhh9M2BeBeXca3Tcbjhs8+mtPuaNQwWllBD dMADHHpbiTZ6r9Kp4gBphg2PRx1D
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=square-r00t.net; s=default; t=1581604493; bh=G6zFXatv9hZ7/APSNsp9boluw11K3zDAKDctGLd3ETs=; h=To:References:From:Subject:Date:In-Reply-To; b=mWLhUo/tdiYoaLJuTUfg+fRwk4P8xKRx8qQWyzXOxtgsY/4gGc8lMFeleQHuUbhNp ee+f/yMFbiCUFdL3g/8fQ+msIKcyBar5btdwsyn2N3li9G7oT9v5k0twW2Hnw/ok2n 0a/tbaXA0UB59FsbpiV53WmIp1cAsg/VwUH/LpxM=
In-reply-to: <1b19fa35-8ca6-3956-40c1-e34034cd9abc@square-r00t.net>
References: <1b19fa35-8ca6-3956-40c1-e34034cd9abc@square-r00t.net>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.2

On 2/7/20 19:42, brent s. wrote:
> Hey, all!
(SNIP)
> 
> I get the error:
> 
> 
> 
> Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry
> "ou=groupname,dc=domain,dc=com", attr "entry" requested
> Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by
> "cn=username,dc=domain,dc=net", (=0)
> Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat:
> cn=groupadmins,ou=groups,dc=domain,dc=net
> Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn
> 0x7f7700009ef0 fetched refcnt=1.
> Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz
> returned 0, misconfigured URI?
(SNIP)
> I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I
> need to reference the group in the ACL explicitly with the LDAP URI
> prefixed or something?
> 

Update: this was indeed a PEBKAC. I'm not sure which exactly caused it,
but it is now working after:

1.) I added an appropriate TLS_CACERT to /etc/openldap/ldap.conf (is
this redundant with OLC? See #2 below) on the proxy and the target server.

2.) I changed cn=config?olcTLSCACertificateFile to match the value of #1
on the proxy and target server.

3.) The olcDatabase={3}ldap,cn=config entry now reads as such:

dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcDbIDAssertBind: bindmethod=simple
 binddn="cn=proxyUser,dc=domain,dc=net"
 credentials=somePasswordHere
 starttls=critical
 tls_protocol_min=1.2
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://bar.domain.tld
olcReadOnly: TRUE
olcSuffix: dc=domain,dc=net

I can now both auth successfully as a bind DN located on
dc=domain,dc=net to dc=domain,dc=com AND use group-based ACL rules on
dc=domain,dc=com based on groups found on dc=domain,dc=net (after
appropriate ACL rules for reading those groups' membership were created
on dc=domain,dc=net for cn=proxyUser,dc=domain,dc=net).

Sorry for the noise!

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- proxy ldap (back_ldap) with group ACL?
  - From: "brent s." <bts@square-r00t.net>

Prev by Date: Urgent: New User with context CSN permission
Next by Date: Re: syncrepl syncing but not updating, contextCNS missing and schemacheck off
Index(es):
- Chronological
- Thread