Re: (ITS#5601) set-acl failure under back-ldap+rwm - openldap-bugs

12 Jul 2008


      ando@sys-net.it wrote:
    > mbackes@symas.com wrote:
...
The reason is quite simple: set expansion uses the rewritten DN as the 
user's name, so a local lookup of the entry "cn=user,dc=remote" fails 
since no local database serves the naming context "dc=remote".  The root 
cause is that back-ldap binds as the rewritten DN, which is later stored 
as the real identity.  I think this was done on purpose, and is to some 
extent appropriate, but makes the type of ACL you want to design 
basically impossible.  A solution would be to make slapo-rwm intercept 
successful binds (in the cleanup callback) and rewrite back the bound DN 
into the virtual naming context.  I'll see if it is possible, but then 
we need to decide whether this is the desired behavior.  Otherwise, we'd 
need to have two o_ndn fields: the real DN and the real-real DN.
To further elaborate, even if the virtual DN is set instead of the real 
one in c_ndn, the operation fails because ACL checking passes through 
bi_entry_get_rw(), which is not provided by slapo-rwm, and can't be 
provided according to the current design, since it does not allow to 
massage the arguments.  As a quick'n'dirty fix, what you can do is make 
the proxy database serve both naming contexts, namely
database ldap
suffix "dc=remote,dc=local"
suffix "dc=remote"
uri "ldap://127.0.0.1:2389"
acl-bind bindmethod=simple
         binddn="cn=user,dc=remote"
         credentials=secret
overlay rwm
rwm-suffixmassage "dc=remote,dc=local" "dc=remote"
This allows the proxy database to be found by select_backend() when 
searching the right backend using the real naming context.  At the same 
time, internal searches occur as expected.
This is a hack; the real fix requires to redesign the API of 
bi_entry_get_rw(), to let it modify the request arguments while letting 
the real function do the hard job.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   ando@sys-net.it
-----------------------------------