Hi everyone,
As I understand from documentation, acl-bind is a technique to fetch acls from backend ldap to ldap proxy and apply them in there. Is this correct? I can't find any working example with shown logs to prove my idea nor i can get my configs to work. Maybe there is something i don't know? My configs:
/etc/ldap/slapd.d/cn=config/olcDatabase={2}ldap.ldif: dn: olcDatabase={2}ldap objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {2}ldap structuralObjectClass: olcLDAPConfig entryUUID: da219748-6515-1031-9486-41b4d47f5b36 olcSuffix: dc=ktu,dc=lt olcDbURI: ldap://83.171.20.45 olcDbIdleTimeout: 60 olcDbACLBind: bindmethod=simple binddn="cn=test,dc=ktu,dc=lt" credentials="test"
Logs: Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: access to entry "dc=ktu,dc=lt", attr "entry" requested Jul 19 12:17:36 bijote slapd[1435]: => acl_mask: to all values by "cn=admin,dc=ktu,dc=lt", (=0) Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth Jul 19 12:17:36 bijote slapd[1435]: <= check a_dn_pat: * Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] applying +0 (break) Jul 19 12:17:36 bijote slapd[1435]: <= acl_mask: [2] mask: =0 Jul 19 12:17:36 bijote slapd[1435]: => dn: [2] Jul 19 12:17:36 bijote slapd[1435]: => dn: [3] cn=subschema Jul 19 12:17:36 bijote slapd[1435]: <= acl_get: done. Jul 19 12:17:36 bijote slapd[1435]: => slap_access_allowed: no more rules
Clearly visible, that there is no ACL configs in database definition, and ACL's comes from frontend database (defaults):
/etc/ldap/slapd.d/cn=config/olcDatabase={2}ldap.ldif: ... olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read ....
As I understand, there should be ACL in ldap proxy (custom or defaults, tied to backends ACL's or not). Please help me to clear things out.