Re: access control with pbind overlay

Am Mon, 29 Sep 2014 11:24:53 +0200 schrieb Ferenc Wagner <wferi(a)niif.hu&gt;: > Dieter Klünter <dieter(a)dkluenter.de&gt; writes: > >> Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner <wferi(a)niif.hu&gt;: >> >>> Ferenc Wagner <wferi(a)niif.hu&gt; writes: >>> >>>> I've got a partial syncrepl replica, which (among others) misses >>>> the userPassword attributes of the provider database. I added a >>>> pbind overlay to the replica, which forwards binds to the >>>> provider, thus it became possible to do simple binds against the >>>> replica. But access control on the replica does not honor these >>>> binds properly: "by users" works, but "by self" does not. Before >>>> I waste too much time debugging: is it supposed to work at all? >>>> I tested this under 2.4.31 with: >>>> >>>> dn: olcDatabase={1}mdb,cn=config >>>> olcAccess: to * by >>>> dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth >>>> read by self read by * none olcSyncrepl: rid=1 [...] >>>> >>>> The external auth part works, and if I replace self with users, >>>> that works as well (but is not what I want). Do I expect too >>>> much? >>> >>> Would anybody please provide some guidance on this problem? >> >> define an authorization regular expression in order to map sasl auth >> string to a DN. > > The SASL auth part works as is, no problem with that, I included it > only to keep the olcAccess attribute verbatim. But I'd like to get > the "read by self" part work with simple binds. But these binds must > be done through the pbind overlay, as userPassword in not > replicated. Pbind works to some extent, as binding only succeeds > with the correct password, but the "by self" selector does not fire, > as if the remote and local DN were treated as different. Or is this > what you imply, that I still need a mapping in this case? Define a DN in the access rules, as 'self' must match a DN.