Hello dear Openldap community,
I'm writing you this email because I'm trying to create a configuration using relay backend + rvm and settings ACLs in the virtual database and I must admit I'm a little bit confused about all these components are working together.
I actually have two databases: - The real one dc=ptitoliv,dc=net - The virtual one dc=example,dc=com
I did a simple configuration using the RWM overlay and the rwm-suffixmassage directive. Everything seems to be okay except for the ACL.
More precisely, my concern is about the ACL to apply in order to restrict the access to the userPassword attribute to the "virtual self" on the virtual database.
My current status is the following : - If I don't put any ACL on the relay database, the userPassword attribute is readable by any authenticated user which is a thing I don't want - If I put the following ACL "to attrs=userPassword by self write by anonymous auth by * none" on the relay database nobody can read the userPassword including the virtual self.
About the second point, if I understood correctly it's because the virtual binddn is mapped directly to the real one and the ACL tries to be resolved using the real binddn and not the virtual one like it is shown in the next trace.
673bb5e0.21d77b65 0x7f0d33dbf700 => access_allowed: read access to "uid=user,ou=people,dc=example,dc=com" "userPassword" requested 673bb5e0.21d78357 0x7f0d33dbf700 => acl_get: [1] attr userPassword 673bb5e0.21d79164 0x7f0d33dbf700 => acl_mask: access to entry "uid=user,ou=people,dc=example,dc=com", attr "userPassword" requested 673bb5e0.21d798c0 0x7f0d33dbf700 => acl_mask: to value by "uid=user,ou=people,dc=ptitoliv,dc=net", (=0) 673bb5e0.21d7bab8 0x7f0d33dbf700 <= check a_dn_pat: self 673bb5e0.21d7cc2c 0x7f0d33dbf700 <= check a_dn_pat: anonymous 673bb5e0.21d7d9d5 0x7f0d33dbf700 <= check a_dn_pat: * 673bb5e0.21d7e601 0x7f0d33dbf700 <= acl_mask: [3] applying none(=0) (stop) 673bb5e0.21d7f6df 0x7f0d33dbf700 <= acl_mask: [3] mask: none(=0) 673bb5e0.21d7fda4 0x7f0d33dbf700 => slap_access_allowed: read access denied by none(=0)
So my question is that if it is possible to have an ACL on a virtual database in order to make the userPassword only readable by the logged user itself. Or is it just something that is not possible and if i want to access the userPassword attribute, it can be only done on the real database ?
I tried to do some rewrite operation on the binddn but without any success 🙁
Thanks for you help !
Regards, Olivier Bonhomme