I have a configuration somewhat similar to the one below and the ACLs seem to be applied using the non-rewritten DN which causes the self specifier to never match.
We are in the process of configuring a more secure LDAP server with stricter ACLs and extra security checks without affecting existing applications. For this purpose we are putting a rewriting proxy in front of several legacy LDAP servers. Ideally, the ACLs would be put in place on the original servers but this is not easily possible in this environment.
Is this a bug or am I doing something wrong?
Configuration snippet (simplified and anonymised):
access to attrs=userPassword by self =xw by anonymous auth by * none
access to * by self read by * search
database ldap suffix "ou=department1,dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" subordinate uri "ldap://192.168.1.1" overlay rwm rwm-suffixmassage "ou=department1,dc=example,dc=com" "dc=department1,dc=local"
database ldap suffix "ou=department2,dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" subordinate uri "ldap://192.168.1.2" overlay rwm rwm-suffixmassage "ou=department2,dc=example,dc=com" "dc=department2,dc=local"
database bdb suffix "dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com" rootpw {SSHA}5OWnUtaKRBk7x0UBQKO/HOgMZQoCczY5
directory /var/openldap-data cachesize 1000 index objectClass eq index cn,mail pres,eq,sub index uid,uidNumber pres,eq
Part of the slapd output with -d 896 (again, anonymised):
5295fbb1 conn=1000 fd=27 ACCEPT from IP=127.0.0.1:48903 (IP=0.0.0.0:3389) 5295fbb1 conn=1000 op=0 BIND dn="uid=ldaptest,ou=People,ou=department2,dc=example,dc=com" method=128 5295fbb1 conn=1000 op=0 BIND dn="uid=ldaptest,ou=People,dc=department2,dc=local" mech=SIMPLE ssf=0 5295fbb1 conn=1000 op=0 RESULT tag=97 err=0 text= 5295fbb1 conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" 5295fbb1 => access_allowed: search access to "dc=example,dc=com" "entry" requested 5295fbb1 => dn: [1] 5295fbb1 => acl_get: [3] attr entry 5295fbb1 => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested 5295fbb1 => acl_mask: to all values by "uid=ldaptest,ou=people,dc=department2,dc=local", (=0) 5295fbb1 <= check a_dn_pat: self 5295fbb1 <= check a_dn_pat: * 5295fbb1 <= acl_mask: [2] applying search(=scxd) (stop) 5295fbb1 <= acl_mask: [2] mask: search(=scxd) 5295fbb1 => slap_access_allowed: search access granted by search(=scxd) 5295fbb1 => access_allowed: search access granted by search(=scxd) [...] 5295fbb2 => access_allowed: read access to "uid=ldaptest,ou=People,ou=department2,dc=example,dc=com" "entry" requested 5295fbb2 => dn: [1] 5295fbb2 => acl_get: [3] attr entry 5295fbb2 => acl_mask: access to entry "uid=ldaptest,ou=People,ou=department2,dc=example,dc=com", attr "entry" requested 5295fbb2 => acl_mask: to all values by "uid=ldaptest,ou=people,dc=department2,dc=local", (=0) 5295fbb2 <= check a_dn_pat: self 5295fbb2 <= check a_dn_pat: * 5295fbb2 <= acl_mask: [2] applying search(=scxd) (stop) 5295fbb2 <= acl_mask: [2] mask: search(=scxd) 5295fbb2 => slap_access_allowed: read access denied by search(=scxd) 5295fbb2 => access_allowed: no more rules 5295fbb2 send_search_entry: conn 1000 access to entry (uid=ldaptest,ou=People,ou=department2,dc=example,dc=com) not allowed
The DN that is used seems to be uid=ldaptest,ou=people, dc=department2,dc=local which is how we were bound to the second LDAP server.
Thanks
ps, I would also be very interested in a solution for http://www.openldap.org/lists/openldap-technical/201302/msg00152.html