I have a proxy server ('ldap' backend) sitting in front of a master directory.
The DNs on my master directory are UUIDs + ou + domain, e.g. myid=1234...89,dc=yada,dc=com.
Each object has a (unique) username attrbute.
Logging in on the proxy server involves mapping the username to the DN
rwm-rewriteMap ldap uid2DN "ldaps://server.somewhere.com/ou=something,dc=xyz,dc=com?dn?sub" binddn="uid=..." credentials="xxx"
rwm-rewriteContext bindDN rwm-rewriteRule "^uid=([a-z0-9_]{3,24}),ou=zzz" "${uid2DN(myusername=$1)}" ":@I"
I would like anyone logging in as themselves to be able to read their own attributes. I'm having trouble doing this. 'Self' doesn't seem to work because of the mapping going on, e.g.
access to dn.sub="ou=vpn" by self read by anonymous auth by * non
Aug 11 11:22:09 mid slapd[5848]: => acl_mask: access to entry "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz", attr "entry" requested Aug 11 11:22:09 mid slapd[5848]: => acl_mask: to all values by "myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com", (read(=rscxd)) Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: self Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: anonymous Aug 11 11:22:09 mid slapd[5848]: <= check a_dn_pat: * Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] applying none(=0) (stop) Aug 11 11:22:09 mid slapd[5848]: <= acl_mask: [3] mask: none(=0) Aug 11 11:22:09 mid slapd[5848]: => slap_access_allowed: read access denied by none(=0
I think 'self' doesn't match because myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz does not equal myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (is my thinking correct on this?)
How do I allow a user to read their own attributes in this situation?
If I get you correctly, you bind as
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=zzz (1)
and you want it rewritten as
myid=c44883ba-ac62-d28c-556f-99ccbf532da7,ou=something,dc=xyz,dc=com (2)
but then you would like slapd to recognize (2) as "self" of (1); one thing you could probably do is use authz-regexp (see slapd.conf(5)) to authorize (2) as (1) again (although I think this is getting too much wound up to make any sense). At this point, the identity would appear as (1) for "self", and as (2) for "realself". I haven't checked, so I can't guarantee it works.
p.