Hej,
It's been a long time since I used OpenLDAP and read the lists, (like 7 years ago) so first: hello again! :-)
I'm using "OpenLDAP: slapd 2.3.30" from debian/etch, trying to access two database shadows via a slapd-ldap proxy. The shadow contains these two databases holding NSS and addressbook entries: (passwords changed)
####################################################################### # The NSS databases contains NSS accounts and groups. database bdb suffix "dc=nss,dc=sipwise,dc=com" directory "/var/lib/ldap/nss" lastmod on rootdn "cn=root,dc=nss,dc=sipwise,dc=com" rootpw s1kkr1t dbconfig set_cachesize 0 20971520 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,cn,uid,uidNumber,gidNumber eq syncrepl rid=002 provider=ldap://db1 bindmethod=simple binddn="cn=root,dc=nss,dc=sipwise,dc=com" credentials=s1kkr1t searchbase="dc=nss,dc=sipwise,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
####################################################################### # The addressbook database contains contacts for e-mail and phone. database bdb suffix "dc=addressbook,dc=sipwise,dc=com" directory "/var/lib/ldap/addressbook" lastmod on rootdn "cn=root,dc=addressbook,dc=sipwise,dc=com" rootpw s1kkr1t dbconfig set_cachesize 0 20971520 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,entryUUID eq index cn,sn,mail,givenName sub syncrepl rid=003 provider=ldap://db1 bindmethod=simple binddn="cn=root,dc=addressbook,dc=sipwise,dc=com" credentials=s1kkr1t searchbase="dc=addressbook,dc=sipwise,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
The simple ACL configuration is:
####################################################################### access to attrs=userPassword dn.subtree="ou=people,dc=nss,dc=sipwise,dc=com" by anonymous auth by * none access to dn.subtree="dc=nss,dc=sipwise,dc=com" by users read by * none access to dn.subtree="dc=addressbook,dc=sipwise,dc=com" by users write by * none
Trying to access the two databases using ldapsearch (directly towards the shadow, not the local slapd) on the proxy machine works just fine. The slapd.conf on the proxy contains two "ldap" databases which forward requests to the shadow databases:
####################################################################### # The nss database contains NSS accounts. database ldap suffix "dc=nss,dc=sipwise,dc=com" uri "ldap://db/"
####################################################################### # The addressbook database contains contacts for e-mail and phone. database ldap suffix "dc=addressbook,dc=sipwise,dc=com" uri "ldap://db/"
Now, trying to access the nss database using ldapsearch towards the proxy from a client works fine too, but I can't get any entries from the addressbook.
Commandlines are: ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \ -W -b dc=nss,dc=sipwise,dc=com cn=* ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \ -W -b dc=addressbook,dc=sipwise,dc=com cn=*
When running slapd with "-d 128" on the shadow, after the authentication stuff, I can see the following for the nss database: => acl_mask: access to entry "dc=nss,dc=sipwise,dc=com", attr "cn" \ requested => acl_mask: to all values by \ "uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com", (=0)
And for the addressbook database I get: => acl_mask: access to entry "dc=addressbook,dc=sipwise,dc=com", \ attr "cn" requested => acl_mask: to all values by "", (=0)
I.e. it looks like access to the addressbook database is done anonymously, even though authentication is performed right before. When doing the ldapsearches directly to the shadow, this does not happen.
Am I missing something in the proxy configuration? Why does searching the nss database work? Because my bind user is within the same database? Sounds a little bit weird to me.
Thanks a lot and best regards, daniel