Dieter Klünter <dieter(a)dkluenter.de> writes:
Am Mon, 29 Sep 2014 11:24:53 +0200 schrieb Ferenc Wagner
<wferi(a)niif.hu>:
> Dieter Klünter <dieter(a)dkluenter.de> writes:
>
>> Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner <wferi(a)niif.hu>:
>>
>>> Ferenc Wagner <wferi(a)niif.hu> writes:
>>>
>>>> I've got a partial syncrepl replica, which (among others) misses
>>>> the userPassword attributes of the provider database. I added a
>>>> pbind overlay to the replica, which forwards binds to the
>>>> provider, thus it became possible to do simple binds against the
>>>> replica. But access control on the replica does not honor these
>>>> binds properly: "by users" works, but "by self" does
not. Before
>>>> I waste too much time debugging: is it supposed to work at all?
>>>> I tested this under 2.4.31 with:
>>>>
>>>> dn: olcDatabase={1}mdb,cn=config
>>>> olcAccess: to * by
>>>> dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth
>>>> read by self read by * none olcSyncrepl: rid=1 [...]
>>>>
>>>> The external auth part works, and if I replace self with users,
>>>> that works as well (but is not what I want). Do I expect too
>>>> much?
>>>
>>> Would anybody please provide some guidance on this problem?
>>
>> define an authorization regular expression in order to map sasl auth
>> string to a DN.
>
> The SASL auth part works as is, no problem with that, I included it
> only to keep the olcAccess attribute verbatim. But I'd like to get
> the "read by self" part work with simple binds. But these binds must
> be done through the pbind overlay, as userPassword in not
> replicated. Pbind works to some extent, as binding only succeeds
> with the correct password, but the "by self" selector does not fire,
> as if the remote and local DN were treated as different. Or is this
> what you imply, that I still need a mapping in this case?
Define a DN in the access rules, as 'self' must match a DN.
I must be missing something, then... Isn't "to *" enough? It certainly
works on the master, does pbind have extra requirements?
--
Thanks,
Feri.