On 2/7/20 19:42, brent s. wrote:
Hey, all!
(SNIP)
I get the error:
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry "ou=groupname,dc=domain,dc=com", attr "entry" requested Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by "cn=username,dc=domain,dc=net", (=0) Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat: cn=groupadmins,ou=groups,dc=domain,dc=net Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn 0x7f7700009ef0 fetched refcnt=1. Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
(SNIP)
I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I need to reference the group in the ACL explicitly with the LDAP URI prefixed or something?
Update: this was indeed a PEBKAC. I'm not sure which exactly caused it, but it is now working after:
1.) I added an appropriate TLS_CACERT to /etc/openldap/ldap.conf (is this redundant with OLC? See #2 below) on the proxy and the target server.
2.) I changed cn=config?olcTLSCACertificateFile to match the value of #1 on the proxy and target server.
3.) The olcDatabase={3}ldap,cn=config entry now reads as such:
dn: olcDatabase={3}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {3}ldap olcDbIDAssertBind: bindmethod=simple binddn="cn=proxyUser,dc=domain,dc=net" credentials=somePasswordHere starttls=critical tls_protocol_min=1.2 olcDbProtocolVersion: 3 olcDbProxyWhoAmI: TRUE olcDbRebindAsUser: TRUE olcDbSessionTrackingRequest: TRUE olcDbStartTLS: propagate olcDbURI: ldap://bar.domain.tld olcReadOnly: TRUE olcSuffix: dc=domain,dc=net
I can now both auth successfully as a bind DN located on dc=domain,dc=net to dc=domain,dc=com AND use group-based ACL rules on dc=domain,dc=com based on groups found on dc=domain,dc=net (after appropriate ACL rules for reading those groups' membership were created on dc=domain,dc=net for cn=proxyUser,dc=domain,dc=net).
Sorry for the noise!