Dieter Klünter dieter@dkluenter.de writes:
Am Mon, 29 Sep 2014 11:24:53 +0200 schrieb Ferenc Wagner wferi@niif.hu:
Dieter Klünter dieter@dkluenter.de writes:
Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner wferi@niif.hu:
Ferenc Wagner wferi@niif.hu writes:
I've got a partial syncrepl replica, which (among others) misses the userPassword attributes of the provider database. I added a pbind overlay to the replica, which forwards binds to the provider, thus it became possible to do simple binds against the replica. But access control on the replica does not honor these binds properly: "by users" works, but "by self" does not. Before I waste too much time debugging: is it supposed to work at all? I tested this under 2.4.31 with:
dn: olcDatabase={1}mdb,cn=config olcAccess: to * by dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth read by self read by * none olcSyncrepl: rid=1 [...]
The external auth part works, and if I replace self with users, that works as well (but is not what I want). Do I expect too much?
Would anybody please provide some guidance on this problem?
define an authorization regular expression in order to map sasl auth string to a DN.
The SASL auth part works as is, no problem with that, I included it only to keep the olcAccess attribute verbatim. But I'd like to get the "read by self" part work with simple binds. But these binds must be done through the pbind overlay, as userPassword in not replicated. Pbind works to some extent, as binding only succeeds with the correct password, but the "by self" selector does not fire, as if the remote and local DN were treated as different. Or is this what you imply, that I still need a mapping in this case?
Define a DN in the access rules, as 'self' must match a DN.
I must be missing something, then... Isn't "to *" enough? It certainly works on the master, does pbind have extra requirements?