Hello,
I have set a translucent proxy and things have been working rather well. I've been able to add/delete and modify local attributes authenticating with the local rootdn. All this has been done using openldap's command line tools. I now have the need to use a web based interface and so i installed phpldapadmin. To my surprise, i can login using the local rootdn but i'm not able to browse or search for any entry in that branch, although i have write access acls, besides the rootdn declaration.
the database definition is as follows:
--- snip ---
database hdb suffix "dc=example,dc=com" rootdn cn=loadmin,dc=example,dc=com rootpw secret directory "/var/lib/ldap" lastmod on
access to attrs=userPassword,sambaNTPassword,krb5Key by dn.exact="cn=admin,dc=example,dc=com" write by dn.exact="cn=loadmin,dc=example,dc=com" write by dn.exact="cn=reader,dc=example,dc=com" read by self read by anonymous auth by * none
access to * by dn.exact="cn=admin,dc=example,dc=com" write by dn.exact="cn=loadmin,dc=example,dc=com" write by * read
index sambaSID,sambaPrimaryGroupSID eq
overlay translucent uri "ldap://ldapbackend.example.com" acl-bind binddn="cn=reader,dc=example,dc=com" credentials="secret" translucent_strict translucent_remote objectClass translucent_local sambaSID,sambaPrimaryGroupSID,sambaAcctFlags overlay glue
--- snip ---
I seen no problem in the configuration, but do please point me out any misconfiguration that might be leading to this behaviour. Since i've been able to use the command line tools, i initially supposed it was a misconfiguration or even a bug in phpldapadmin, but i'm starting to consider the problem as limitiation for the translucent overlay. Should i consider this scenario also?
(I know i should be using runtime config already... Let us leave that to another occasion ;) )
Best regards,
Hugo Monteiro.
I though about putting it in a simpler way.
OpenLDAP 2.4.23 with translucent proxy.
I'm able to add/remove/modify attributes locally using the rootdn defined in the server configuration. I'm NOT able to browse or perform searches using those same credentials. I always get 0 entries. I am however able to perform searches and browse the tree if i bind anonymously or if i bind with one of the LDAP users accounts.
Is this behaviour to be expected? Is there any way to use a single pair of credentials and be able to add/delete/modify/browse/search ?
the database definition is as follows:
--- snip ---
database hdb suffix "dc=example,dc=com" rootdn cn=loadmin,dc=example,dc=com rootpw secret directory "/var/lib/ldap" lastmod on
access to attrs=userPassword,sambaNTPassword,krb5Key by dn.exact="cn=admin,dc=example,dc=com" write by dn.exact="cn=loadmin,dc=example,dc=com" write by dn.exact="cn=reader,dc=example,dc=com" read by self read by anonymous auth by * none
access to * by dn.exact="cn=admin,dc=example,dc=com" write by dn.exact="cn=loadmin,dc=example,dc=com" write by * read
index sambaSID,sambaPrimaryGroupSID eq
overlay translucent uri "ldap://ldapbackend.example.com" acl-bind binddn="cn=reader,dc=example,dc=com" credentials="secret" translucent_strict translucent_remote objectClass translucent_local sambaSID,sambaPrimaryGroupSID,sambaAcctFlags overlay glue
--- snip ---
Best Regards,
Hugo Monteiro.
Everything was actually correct, but a minor detail. I had a typo in the bind-acl password. Sorry for the noise.
Regards,
Hugo Monteiro.
openldap-technical@openldap.org
-
Hugo Monteiro