On Thu, Apr 28, 2016 at 09:15:09AM -0400, Aaron Richton wrote:
But if I put this kind of an ACL entry to my proxy, when a member of the group "cn=somegroup,ou=somebranch,dc=dom,dc=ain" tries to access somethingPrivate, the ACL checker falls all the way through to the "by * none" WHO clause and no access is granted.
I think I'd start with some basics here: what does ldapcompare(1) show about group membership (or lack thereof)? Does it match/disagree with slapd "acl" debugging output?
It matches.
I have added the acl-authcDN and acl-passwd config lines to my meta backend config after the URI, but they don't seem to have any effect. Moreover, I found
I believe that back-meta, like back-ldap, is transitioning toward the acl-bind directive. For now, this appears (perhaps unfortunately) to only be documented in the slapd-ldap(5) man page. So take a look at that too.
I'm running 2.4.39 from the RHEL 7 distribution.
I don't know how many patches RHEL may (or may not) backport for you, but I know that some significant improvements have been made since 2.4.39, including some back-meta logging enhancements that might make this process a bit easier. You should consider using the latest 2.4 release instead.
I can't use back-ldap because I have two mirroring backend servers I want to connect to (in case one of them fails) and that is precisely the functionality I require from back-meta.
Looking at the code, my version of back-meta doesn't know anything about acl-bind (back-ldap does). It does know about acl-authcdn and acl-passwd, though. From back-meta/config.c:
--clip-- case LDAP_BACK_CFG_ACL_AUTHCDN: case LDAP_BACK_CFG_ACL_PASSWD: /* FIXME no point here, there is no code implementing * their features. Was this supposed to implement * acl-bind like back-ldap? */ rc = 1; break; --clip--
So, um. Maybe I'll have a look at the latest 2.4 code next. Thanks for the reply.
--Janne