On Wed, Apr 27, 2016 at 12:10:31PM -0400, Aaron Richton wrote:
Yes, this should be possible, something along the lines of:
access to attrs=somethingPrivate by self none break by * none
access to attrs=somethingPrivate by peername.ip="1.2.3.0%255.255.255.0" write by * none
Thanks for the tip, this really does seem to work. :)
As we're building a proxy configuration, this requires some reordering of the ACLs. Until now, the ACLs have all resided on the backend servers, and the proxy hasn't had anything (it has been configured as a read only meta database).
This would require moving at least some of the ACLs to the proxy, because the backend sees all the connections as coming from the proxy, correct?
But this introduces an additional problem. Some of the attributes that require "self" from a certain IP address should also work when a member of a certain group accesses the attribute from anywhere.
So something like this should work:
--clip-- access to attrs=somethingPrivate by group/groupOfUniqueNames/uniqueMember.exact="cn=somegroup,ou=somebranch,dc=dom,dc=ain" read by self none break by * none
access to attrs=somethingPrivate by peername.ip="1.2.3.0%255.255.255.0" write by * none --clip--
But if I put this kind of an ACL entry to my proxy, when a member of the group "cn=somegroup,ou=somebranch,dc=dom,dc=ain" tries to access somethingPrivate, the ACL checker falls all the way through to the "by * none" WHO clause and no access is granted.
I have added the acl-authcDN and acl-passwd config lines to my meta backend config after the URI, but they don't seem to have any effect. Moreover, I found this:
http://www.openldap.org/lists/openldap-devel/201208/msg00002.html
which says
--clip-- I see a few puzzling inconsistencies, like the existence of acl-passwd and acl-authcDN keywords that don't actually have any functional code behind them. I would guess they should have been replaced with acl-bind but there's no implementation of that anywhere either. --clip--
Wonder if that's still true? If so, what'd be a working method to check group based ACLs on the proxy?
I'm running 2.4.39 from the RHEL 7 distribution.
--Janne Peltonen University of Helsinki