Re: How to hide namingContext in rootDSE ? - openldap-software

19 Dec 2008


      Hello,
First, thank you for your help :)
...
...
1/ Is there a better way to do this, without rewrite V2 values ?
Well, you can use multiple instances of back-relay instead of back-ldap,
saving transliterations of requests and responses.  I don't see other
chances of rewriting the value of uniqueMember attributes.
Hum. I tried to apply your suggests. But with OpenLDAP 2.3.43 (2.4.* not
yet), I have a well formed "segmentation fault" ! So, for the moment, I
have only one back-relay instead of two.
...
Probably, a solution here (for a future enhancement) would be to allow
specifying when rewriting should take place (before or after mapping?),
or simply be as liberal as possible, allowing rewriting when either
before or after an attribute will have DN syntax.  You can file an ITS
for this.
OK, a good idea.
...
...
2/ How can I hide my transitional LDAP suffix in the rootDSE ?
Hiding values in namingContexts can be done using ACLs.  What makes it
tricky is that namingContexts, by (poor?) design has no EQUALITY rule,
so if you write a rule like
access to dn.exact="" attrs=namingContext val="o=example transitional"
   by * none
will not work.  You need to specify what equality rule to use, something
like
access to dn.exact=""
   	attrs=namingContext
   	val/distinguishedNameMatch="o=example transitional"
   by * none
OK. I also tried to apply this ACL. With some corrections, I have matching
ACL in my OpenLDAP log. But it does not work...
I have only these ACL defined :
8<--------
access to dn.exact=""
  attrs=namingContexts val/distinguishedNameMatch="o=example transitional"
  by * none
access to dn.base="" by * read
8<--------
The first should match when namingContexts are listed. But it doesn't, I
have read access on all values. I have inverted all ACLs, tried to apply
different scopes or more restrictive rights with some break/continue
controls, etc.
8<--------
Backend ACL: access to dn.base=""
 attrs=namingContexts
 val.base="o=example transitional"
    by * none
Backend ACL: access to dn.base=""
    by * read
Backend ACL: access to dn.base="cn=subschema"
    by * read
[...]
=> access_allowed: search access to "" "objectClass" requested
=> dn: [1]
=> acl_get: [1] matched
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr objectClass
=> acl_mask: access to entry "", attr "objectClass" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: search access granted by read(=rscxd)
=> access_allowed: read access to "" "entry" requested
=> dn: [1]
=> acl_get: [1] matched
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr entry
=> acl_mask: access to entry "", attr "entry" requested
=> acl_mask: to all values by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [1]
=> acl_get: [1] matched
acl_get: val o=example transitional
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (=0)
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (read(=rscxd))
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
=> access_allowed: read access to "" "namingContexts" requested
=> dn: [2]
=> acl_get: [2] matched
=> acl_get: [2] attr namingContexts
access_allowed: no res from state (namingContexts)
=> acl_mask: access to entry "", attr "namingContexts" requested
=> acl_mask: to value by "", (read(=rscxd))
<= check a_dn_pat: *
<= acl_mask: [1] applying read(=rscxd) (stop)
<= acl_mask: [1] mask: read(=rscxd)
=> access_allowed: read access granted by read(=rscxd)
8<--------
Any idea ?
Cheers,
Thomas.
-- 
Thomas Chemineau
Groupe LINAGORA - http://www.linagora.com
Tél.: +33(0)1 58 18 68 28 - Fax : +33(0)1 58 18 68 29