Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none
which works fine on the "real" DN dc=dighum,dc=kcl,dc=ac,dc=uk - I can add extra attrs like homeDirectory and an unauth'd ldapsearch will not list them - eg:
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=dighum,dc=kcl,dc=ac,dc=uk
However, an
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
lists the "virtual copy" tree AND includes the userPassword attr for each entry which of course, is rather bad.
Anyone see why the ACLs are not being applied to the results of the relay/rwm section?
Many thanks,
Tim
slapd.conf
####################################################################### # Global Directives:
# Features to permit #allow bind_v2
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values loglevel -1
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm
# The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1
allow bind_anon_cred bind_anon_dn update_anon
backend hdb #backend <other>
overlay rwm rwm-rewriteEngine on
# Virtual maps # # map ou=staff,dc=cch to dc=dighum # database relay suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
####################################################################### # Specific Directives for database dighum # database hdb suffix dc=dighum,dc=kcl,dc=ac,dc=uk rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" rootpw "CENSORED" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30
####################################################################### # ACLs # access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by self write by * read
####################################################################### # Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): #database <other> #suffix "dc=debian,dc=org"