Hej,
It's been a long time since I used OpenLDAP and read the lists, (like 7
years ago) so first: hello again! :-)
I'm using "OpenLDAP: slapd 2.3.30" from debian/etch, trying to access
two database shadows via a slapd-ldap proxy. The shadow contains these
two databases holding NSS and addressbook entries: (passwords changed)
#######################################################################
# The NSS databases contains NSS accounts and groups.
database bdb
suffix "dc=nss,dc=sipwise,dc=com"
directory "/var/lib/ldap/nss"
lastmod on
rootdn "cn=root,dc=nss,dc=sipwise,dc=com"
rootpw s1kkr1t
dbconfig set_cachesize 0 20971520 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass,cn,uid,uidNumber,gidNumber eq
syncrepl rid=002
provider=ldap://db1
bindmethod=simple
binddn="cn=root,dc=nss,dc=sipwise,dc=com"
credentials=s1kkr1t
searchbase="dc=nss,dc=sipwise,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
#######################################################################
# The addressbook database contains contacts for e-mail and phone.
database bdb
suffix "dc=addressbook,dc=sipwise,dc=com"
directory "/var/lib/ldap/addressbook"
lastmod on
rootdn "cn=root,dc=addressbook,dc=sipwise,dc=com"
rootpw s1kkr1t
dbconfig set_cachesize 0 20971520 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
index objectClass,entryUUID eq
index cn,sn,mail,givenName sub
syncrepl rid=003
provider=ldap://db1
bindmethod=simple
binddn="cn=root,dc=addressbook,dc=sipwise,dc=com"
credentials=s1kkr1t
searchbase="dc=addressbook,dc=sipwise,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
The simple ACL configuration is:
#######################################################################
access to attrs=userPassword
dn.subtree="ou=people,dc=nss,dc=sipwise,dc=com"
by anonymous auth
by * none
access to dn.subtree="dc=nss,dc=sipwise,dc=com"
by users read
by * none
access to dn.subtree="dc=addressbook,dc=sipwise,dc=com"
by users write
by * none
Trying to access the two databases using ldapsearch (directly towards
the shadow, not the local slapd) on the proxy machine works just fine.
The slapd.conf on the proxy contains two "ldap" databases which forward
requests to the shadow databases:
#######################################################################
# The nss database contains NSS accounts.
database ldap
suffix "dc=nss,dc=sipwise,dc=com"
uri "ldap://db/"
#######################################################################
# The addressbook database contains contacts for e-mail and phone.
database ldap
suffix "dc=addressbook,dc=sipwise,dc=com"
uri "ldap://db/"
Now, trying to access the nss database using ldapsearch towards the
proxy from a client works fine too, but I can't get any entries from the
addressbook.
Commandlines are:
ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \
-W -b dc=nss,dc=sipwise,dc=com cn=\*
ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \
-W -b dc=addressbook,dc=sipwise,dc=com cn=\*
When running slapd with "-d 128" on the shadow, after the authentication
stuff, I can see the following for the nss database:
=> acl_mask: access to entry "dc=nss,dc=sipwise,dc=com", attr "cn" \
requested
=> acl_mask: to all values by \
"uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com", (=0)
And for the addressbook database I get:
=> acl_mask: access to entry "dc=addressbook,dc=sipwise,dc=com", \
attr "cn" requested
=> acl_mask: to all values by "", (=0)
I.e. it looks like access to the addressbook database is done
anonymously, even though authentication is performed right before. When
doing the ldapsearches directly to the shadow, this does not happen.
Am I missing something in the proxy configuration? Why does searching
the nss database work? Because my bind user is within the same database?
Sounds a little bit weird to me.
Thanks a lot and best regards,
daniel