hello
I need to give acces to a partial replica of my ldap directory this replica only contain "white pages" attributes -> no userpassword !
syncrepl rid=001 filter="(|(objectClass=organizationalPerson) attrs="uid,cn,sn,ou,departmentNumber,GivenName
I created a bind user in the master ldap to give external access to that replica but as I don't replicate userpassword, then that bind user doesn't have usperpasswd in the replicate and then cannot authenticate on it (egg and chiken pb !)
then how can I have that partial replica whitout userpassword attributes, but still allow someone (at least one dn, but not the rootdn in slapd.conf that I want to keep secret) to bind to that replica !?
I tested a binddn out of ldap database with SASL (digest-md5), but apparently (ldapsearch -Y) it requires a userpassword attribute for that binddn in the ldap database :-( I though that having a password only in /etc/salsdb2 would be enough ... to bad ;-( I also tested with a translucent in front of my replica, in that translucent I added the userpassword for the binddn so that he can bind , but the search addresed to that translucent that finally goes to my partial replica ends up in an anonymous bind, not as that binddn I expected :-( (so ACL cannot be match )
Please let me know how to let a user+password (binddn having correponding ACL) search my replica on a replica not containing userpassword attributes (or a least one for that binddn) . would it be possible to replicate userpassowrd attribute from the master only for that binddn ?
Thanks.
Am Donnerstag, 9. April 2009 12:23 schrieb Jehan PROCACCIA:
hello
I need to give acces to a partial replica of my ldap directory this replica only contain "white pages" attributes -> no userpassword !
syncrepl rid=001 filter="(|(objectClass=organizationalPerson) attrs="uid,cn,sn,ou,departmentNumber,GivenName
I created a bind user in the master ldap to give external access to that replica but as I don't replicate userpassword, then that bind user doesn't have usperpasswd in the replicate and then cannot authenticate on it (egg and chiken pb !)
then how can I have that partial replica whitout userpassword attributes, but still allow someone (at least one dn, but not the rootdn in slapd.conf that I want to keep secret) to bind to that replica !?
I tested a binddn out of ldap database with SASL (digest-md5), but apparently (ldapsearch -Y) it requires a userpassword attribute for that binddn in the ldap database :-( I though that having a password only in /etc/salsdb2 would be enough ... to bad ;-( I also tested with a translucent in front of my replica, in that translucent I added the userpassword for the binddn so that he can bind , but the search addresed to that translucent that finally goes to my partial replica ends up in an anonymous bind, not as that binddn I expected :-( (so ACL cannot be match )
Please let me know how to let a user+password (binddn having correponding ACL) search my replica on a replica not containing userpassword attributes (or a least one for that binddn) .
would it be possible to replicate userpassowrd attribute from the master only for that binddn ?
Sounds simpel, but I haven't tried it :-(
Use two databases in your "White pages server"
database 1 contains only DNs with userpassword database 2 your white pages
create for both databases separate syncrepl stanzas with different RIDs.
use the defaultsearch statement in slapd.conf to direct all searches without a searchbase to database 2
put ACLs for database 2 so that the "who clause" in ACL write/manage statements point to entries in database 1
do not allow any anonymous access to database 1
force database 1 to only accept encrypted access
Thanks.
Jehan PROCACCIA Jehan.Procaccia@it-sudparis.eu writes:
hello
I need to give acces to a partial replica of my ldap directory this replica only contain "white pages" attributes -> no userpassword !
syncrepl rid=001 filter="(|(objectClass=organizationalPerson) attrs="uid,cn,sn,ou,departmentNumber,GivenName
I created a bind user in the master ldap to give external access to that replica but as I don't replicate userpassword, then that bind user doesn't have usperpasswd in the replicate and then cannot authenticate on it (egg and chiken pb !)
then how can I have that partial replica whitout userpassword attributes, but still allow someone (at least one dn, but not the rootdn in slapd.conf that I want to keep secret) to bind to that replica !?
I tested a binddn out of ldap database with SASL (digest-md5), but apparently (ldapsearch -Y) it requires a userpassword attribute for that binddn in the ldap database :-( I though that having a password only in /etc/salsdb2 would be enough ... to bad ;-( I also tested with a translucent in front of my replica, in that translucent I added the userpassword for the binddn so that he can bind , but the search addresed to that translucent that finally goes to my partial replica ends up in an anonymous bind, not as that binddn I expected :-( (so ACL cannot be match )
Please let me know how to let a user+password (binddn having correponding ACL) search my replica on a replica not containing userpassword attributes (or a least one for that binddn) . would it be possible to replicate userpassowrd attribute from the master only for that binddn ?
Have you thought about a X.500 certificate, startTLS and sasl external mechanism?
-Dieter
openldap-software@openldap.org
-
Dieter Kluenter -
Harry Jede -
Jehan PROCACCIA