I have a proxy server ('ldap' backend) sitting in front of a master directory.
The DNs on my master directory are UUIDs + ou + domain, e.g. myid=1234...89,dc=yada,dc=com.
Each object has a (unique) username attrbute.
Logging in on the proxy server involves mapping the username to the DN
rwm-rewriteMap ldap uid2DN "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub" binddn="uid=..." credentials="xxx"
rwm-rewriteContext bindDN rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=zzz" "${uid2DN(myusername=$1)}" ":@I"
I would like anyone logging in as themselves to be able to read their own attributes. I'm having trouble doing this. 'Self' doesn't seem to work because of the mapping going on, e.g.
access to dn.sub="ou=vpn" by self read by anonymous auth by * non
Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com", (read(=rscxd)) Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: * Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop) Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0) Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access denied by none(=0
I think 'self' doesn't match because myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (is my thinking correct on this?)
How do I allow a user to read their own attributes in this situation?
-Ron-