Hej,
It's been a long time since I used OpenLDAP and read the lists, (like 7 years ago) so first: hello again! :-)
I'm using "OpenLDAP: slapd 2.3.30" from debian/etch, trying to access two database shadows via a slapd-ldap proxy. The shadow contains these two databases holding NSS and addressbook entries: (passwords changed)
####################################################################### # The NSS databases contains NSS accounts and groups. database bdb suffix "dc=nss,dc=sipwise,dc=com" directory "/var/lib/ldap/nss" lastmod on rootdn "cn=root,dc=nss,dc=sipwise,dc=com" rootpw s1kkr1t dbconfig set_cachesize 0 20971520 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,cn,uid,uidNumber,gidNumber eq syncrepl rid=002 provider=ldap://db1 bindmethod=simple binddn="cn=root,dc=nss,dc=sipwise,dc=com" credentials=s1kkr1t searchbase="dc=nss,dc=sipwise,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
####################################################################### # The addressbook database contains contacts for e-mail and phone. database bdb suffix "dc=addressbook,dc=sipwise,dc=com" directory "/var/lib/ldap/addressbook" lastmod on rootdn "cn=root,dc=addressbook,dc=sipwise,dc=com" rootpw s1kkr1t dbconfig set_cachesize 0 20971520 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,entryUUID eq index cn,sn,mail,givenName sub syncrepl rid=003 provider=ldap://db1 bindmethod=simple binddn="cn=root,dc=addressbook,dc=sipwise,dc=com" credentials=s1kkr1t searchbase="dc=addressbook,dc=sipwise,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
The simple ACL configuration is:
####################################################################### access to attrs=userPassword dn.subtree="ou=people,dc=nss,dc=sipwise,dc=com" by anonymous auth by * none access to dn.subtree="dc=nss,dc=sipwise,dc=com" by users read by * none access to dn.subtree="dc=addressbook,dc=sipwise,dc=com" by users write by * none
Trying to access the two databases using ldapsearch (directly towards the shadow, not the local slapd) on the proxy machine works just fine. The slapd.conf on the proxy contains two "ldap" databases which forward requests to the shadow databases:
####################################################################### # The nss database contains NSS accounts. database ldap suffix "dc=nss,dc=sipwise,dc=com" uri "ldap://db/"
####################################################################### # The addressbook database contains contacts for e-mail and phone. database ldap suffix "dc=addressbook,dc=sipwise,dc=com" uri "ldap://db/"
Now, trying to access the nss database using ldapsearch towards the proxy from a client works fine too, but I can't get any entries from the addressbook.
Commandlines are: ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \ -W -b dc=nss,dc=sipwise,dc=com cn=* ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \ -W -b dc=addressbook,dc=sipwise,dc=com cn=*
When running slapd with "-d 128" on the shadow, after the authentication stuff, I can see the following for the nss database: => acl_mask: access to entry "dc=nss,dc=sipwise,dc=com", attr "cn" \ requested => acl_mask: to all values by \ "uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com", (=0)
And for the addressbook database I get: => acl_mask: access to entry "dc=addressbook,dc=sipwise,dc=com", \ attr "cn" requested => acl_mask: to all values by "", (=0)
I.e. it looks like access to the addressbook database is done anonymously, even though authentication is performed right before. When doing the ldapsearches directly to the shadow, this does not happen.
Am I missing something in the proxy configuration? Why does searching the nss database work? Because my bind user is within the same database? Sounds a little bit weird to me.
Thanks a lot and best regards, daniel
Daniel Tiefnig wrote:
Hej,
It's been a long time since I used OpenLDAP and read the lists, (like 7 years ago) so first: hello again! :-)
I'm using "OpenLDAP: slapd 2.3.30" from debian/etch, trying to access two database shadows via a slapd-ldap proxy. The shadow contains these two databases holding NSS and addressbook entries: (passwords changed)
####################################################################### # The NSS databases contains NSS accounts and groups. database bdb suffix "dc=nss,dc=sipwise,dc=com" directory "/var/lib/ldap/nss" lastmod on rootdn "cn=root,dc=nss,dc=sipwise,dc=com" rootpw s1kkr1t dbconfig set_cachesize 0 20971520 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,cn,uid,uidNumber,gidNumber eq syncrepl rid=002 provider=ldap://db1 bindmethod=simple binddn="cn=root,dc=nss,dc=sipwise,dc=com" credentials=s1kkr1t searchbase="dc=nss,dc=sipwise,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
####################################################################### # The addressbook database contains contacts for e-mail and phone. database bdb suffix "dc=addressbook,dc=sipwise,dc=com" directory "/var/lib/ldap/addressbook" lastmod on rootdn "cn=root,dc=addressbook,dc=sipwise,dc=com" rootpw s1kkr1t dbconfig set_cachesize 0 20971520 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass,entryUUID eq index cn,sn,mail,givenName sub syncrepl rid=003 provider=ldap://db1 bindmethod=simple binddn="cn=root,dc=addressbook,dc=sipwise,dc=com" credentials=s1kkr1t searchbase="dc=addressbook,dc=sipwise,dc=com" schemachecking=on type=refreshAndPersist retry="60 +"
The simple ACL configuration is:
####################################################################### access to attrs=userPassword dn.subtree="ou=people,dc=nss,dc=sipwise,dc=com" by anonymous auth by * none access to dn.subtree="dc=nss,dc=sipwise,dc=com" by users read by * none access to dn.subtree="dc=addressbook,dc=sipwise,dc=com" by users write by * none
Trying to access the two databases using ldapsearch (directly towards the shadow, not the local slapd) on the proxy machine works just fine. The slapd.conf on the proxy contains two "ldap" databases which forward requests to the shadow databases:
####################################################################### # The nss database contains NSS accounts. database ldap suffix "dc=nss,dc=sipwise,dc=com" uri "ldap://db/"
####################################################################### # The addressbook database contains contacts for e-mail and phone. database ldap suffix "dc=addressbook,dc=sipwise,dc=com" uri "ldap://db/"
Now, trying to access the nss database using ldapsearch towards the proxy from a client works fine too, but I can't get any entries from the addressbook.
Commandlines are: ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \ -W -b dc=nss,dc=sipwise,dc=com cn=* ldapsearch -x -D uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com \ -W -b dc=addressbook,dc=sipwise,dc=com cn=*
When running slapd with "-d 128" on the shadow, after the authentication stuff, I can see the following for the nss database: => acl_mask: access to entry "dc=nss,dc=sipwise,dc=com", attr "cn" \ requested => acl_mask: to all values by \ "uid=dtiefnig,ou=people,dc=nss,dc=sipwise,dc=com", (=0)
And for the addressbook database I get: => acl_mask: access to entry "dc=addressbook,dc=sipwise,dc=com", \ attr "cn" requested => acl_mask: to all values by "", (=0)
I.e. it looks like access to the addressbook database is done anonymously, even though authentication is performed right before. When doing the ldapsearches directly to the shadow, this does not happen.
Am I missing something in the proxy configuration? Why does searching the nss database work? Because my bind user is within the same database? Sounds a little bit weird to me.
Yes - when you bind to the NSS database, your bind is proxied, and a dedicated connection is used for subsequent searches on the NSS database.
However, when you bind to the NSS database, then search on the addressbook database, you don't appear to have performed a bind with an identity on the addressbook database, so slapd-ldap just assumes the anonymous identity.
Basically, the server has no way of knowing that it can trust your bind from the NSS database. The idassert-bind configuration may be of help to you - check out the man page and the detailed discussion of this in the FAQ (note the first scenario which is exactly what you want to do): http://www.openldap.org/faq/data/cache/532.html
Regards, Jonathan Clarke
-- LinID - Open Source Identity Management --------------------------------------------------------------- Linagora 27 rue de Berri, 75008 Paris Tel: 01 58 18 68 28 / 06 99 60 03 10 --------------------------------------------------------------- Ldap Synchronization Connector (LSC) - http://lsc-project.org/ ---------------------------------------------------------------
Jonathan Clarke wrote:
However, when you bind to the NSS database, then search on the addressbook database, you don't appear to have performed a bind with an identity on the addressbook database, so slapd-ldap just assumes the anonymous identity.
Ah, yes. That sounds reasonable.
Basically, the server has no way of knowing that it can trust your bind from the NSS database.
Sure, but as the databases reside on the same backend server, it might just give it a try and leave the decision to the backend server. This would not make sense (and introduce a security breach) with different backend servers of course. Maybe this could be considered a valid feature request for a future release. (Or maybe this just doesn't work out as I think it does.)
The idassert-bind configuration may be of help to you
Thanks, I gave it a try with no success. Think I'll just have to read up more on this stuff. Meanwhile I "fixed" my setup by configuring the proxy to forward everything below "dc=sipwise,dc=com" to the backend server. So the proxy now thinks "dc=nss" and "dc=addressbook" are within the same database.
Thanks again and best regards, daniel
openldap-software@openldap.org
-
Daniel Tiefnig -
Jonathan Clarke