Hi everyone,
As I understand from documentation, acl-bind is a technique to fetch
acls from backend ldap to ldap proxy and apply them in there. Is this
correct?
I can't find any working example with shown logs to prove my idea nor i
can get my configs to work. Maybe there is something i don't know?
My configs:
/etc/ldap/slapd.d/cn=config/olcDatabase={2}ldap.ldif:
dn: olcDatabase={2}ldap
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {2}ldap
structuralObjectClass: olcLDAPConfig
entryUUID: da219748-6515-1031-9486-41b4d47f5b36
olcSuffix: dc=ktu,dc=lt
olcDbURI: ldap://83.171.20.45
olcDbIdleTimeout: 60
olcDbACLBind: bindmethod=simple binddn="cn=test,dc=ktu,dc=lt"
credentials="test"
Logs:
Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: access to entry
"dc=ktu,dc=lt", attr "entry" requested
Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: to all values by
"cn=admin,dc=ktu,dc=lt", (=0)
Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: *
Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] applying +0 (break)
Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] mask: =0
Jul 19 12:17:36 bijote slapd[1435]: => dn: [2]
Jul 19 12:17:36 bijote slapd[1435]: => dn: [3] cn=subschema
Jul 19 12:17:36 bijote slapd[1435]: <= acl_get: done.
Jul 19 12:17:36 bijote slapd[1435]: => slap_access_allowed: no more rules
Clearly visible, that there is no ACL configs in database definition,
and ACL's comes from frontend database (defaults):
/etc/ldap/slapd.d/cn=config/olcDatabase\={2}ldap.ldif:
...
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
....
As I understand, there should be ACL in ldap proxy (custom or defaults,
tied to backends ACL's or not). Please help me to clear things out.
--
Sincerely,
Nerijus Kislauskas
KTU ITPI, Litnet valdymo centras