2011-09-14_16:54:56-0400 Howard Chu hyc@symas.com:
I've turned my logging way up, and the hiccup seems to be that the DN I've authenticated as (uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu) needs read access to the attributes in the filter expression. But how do I give that account read access to those attributes, without then exposing the objects that I'm trying to hide with the filter expression?
Give it auth access, not read access.
Did that, but it seems to want read access. ?
Sep 15 08:13:15 mid slapd[5050]: => acl_mask: access to entry "yDirectoryID=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=email", attr "yGlobalPermission" requested Sep 15 08:13:15 mid slapd[5050]: => acl_mask: to value by "uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu", (=0) Sep 15 08:13:15 mid slapd[5050]: <= check a_dn_pat: uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu Sep 15 08:13:15 mid slapd[5050]: <= acl_mask: [1] applying auth(=xd) (stop) Sep 15 08:13:15 mid slapd[5050]: <= acl_mask: [1] mask: auth(=xd) Sep 15 08:13:15 mid slapd[5050]: => slap_access_allowed: read access denied by auth(=xd)
Carefully watching logs for both master directory and proxy server, the master directory is passing the information required. It's the ACL's on the proxy that are tripping me up.
search like:
ldapsearch -LLL -Z -x -y ../../private/pwemail '(uid=rpeterso)'
ldaprc like:
BASE ou=email BINDDN uid=email,ou=admin URI ldap://proxy.mtholyoke.edu SIZELIMIT 40000 TLS_CACERT /local/etc/cert/ca/cacert.pem
Full config:
database ldap suffix "ou=email" uri "ldapi://%2Fvar%2Frun%2Fslapd%2Fmastertest%2Fldapi"
idassert-bind bindmethod=simple binddn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized" mode=self
chase-referrals yes overlay rwm rwm-rewriteEngine on
rwm-rewriteMap ldap uid2emailDN "ldaps://dirt-master.mtholyoke.edu/ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu?dn?sub" binddn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized"
rwm-rewriteMap ldap yid2emailDN "ldaps://dirt-master.mtholyoke.edu/ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu?dn?sub" binddn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" credentials="sanitized"
# yUsername is rewritten to uid, so that's what we bind with rwm-rewriteContext bindDN rwm-rewriteRule "^(yDirectoryID=.+),ou=email" "${yid2emailDN($1)}" ":@I" rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=email" "${uid2emailDN(yUsername=$1)}" ":@I"
rwm-suffixmassage "ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" rwm-map objectClass inetOrgPerson yDummyA rwm-map objectClass yAccount * rwm-map objectClass * rwm-map attribute givenName yNameFirstLegal rwm-map attribute sn yNameLastLegal rwm-map attribute uid yUsername rwm-map attribute mail yPrimaryEmail # keep these attribute names the same rwm-map attribute yDirectoryID * rwm-map attribute yInstitution * rwm-map attribute yGlobalPermission * rwm-map attribute yDefaultApplicationPermission * rwm-map attribute yApplicationPermission * rwm-map attribute ySHA1Password * rwm-map attribute *
access to dn.sub="ou=email" by dn="uid=proxy,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * break
access to dn.sub="ou=email" attrs="entry" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * break
access to dn.sub="ou=email" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" auth by * break
access to dn.sub="ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by anonymous auth by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by * break
access to dn.regex="(yDirectoryID=.*),ou=email" filter="(&(yInstitution=mtholyoke.edu)(yGlobalPermission=allow)(|(yApplicationPermission=email)(&(yDefaultApplicationPermission=allow)(!(yApplicationPermission=email)))))" by dn="uid=email,ou=admin,ou=accounts,ou=prod,dc=mtholyoke,dc=edu" read by dn.regex=$1,ou=people,ou=accounts,ou=prod,dc=mtholyoke,dc=edu read by * none