Hi,
I have a question regarding ACL used together with chaining overlay configuration. I´m building several ldap servers which should chain each other, based on the selected path. I now wanted to prevent a chaining loop by using ACLs, but that doesn´t work for me. It seems like the ACL is not used for the referral objects.
sample referral object: dn: o=testldap2,c=de objectClass: referral objectClass: extensibleObject o=testldap2 ref: ldap://testldap2/c=de ldap://testldap2/c=de
chaining config: overlay chain chain-uri ldap://testldap2 ldap://testldap2 chain-rebind-as-user yes chain-idassert-bind bindmethod="simple" binddn="cn=xxxxxx" credentials="yyyy" mode="self" chain-max-depth 1 chain-return-error TRUE
ACL config: access to dn.base="o=testldap2,c=de" by peername.ip=192.168.1.1 none by * read
192.168.1.1 is the ip address of "testldap2". Everytime a request from this ip occurs, the server should block the access to the (referral) object because it must be a "chained" request
But that doesn´t work. Also the parameter "chain-max-depth" seems not to work. I´m currently using OpenLDAP version 2.3.20 (but I also tried the latest one).
Yours sincerely, Kay
Kay.Kirchhoefer@t-systems.com wrote:
Hi,
I have a question regarding ACL used together with chaining overlay configuration. I´m building several ldap servers which should chain each other, based on the selected path. I now wanted to prevent a chaining loop by using ACLs, but that doesn´t work for me. It seems like the ACL is not used for the referral objects.
sample referral object: dn: o=testldap2,c=de objectClass: referral objectClass: extensibleObject o=testldap2 ref: ldap://testldap2/c=de ldap://testldap2/c=de
chaining config: overlay chain chain-uri ldap://testldap2 ldap://testldap2 chain-rebind-as-user yes chain-idassert-bind bindmethod="simple" binddn="cn=xxxxxx" credentials="yyyy" mode="self" chain-max-depth 1 chain-return-error TRUE
ACL config: access to dn.base="o=testldap2,c=de" by peername.ip=192.168.1.1 none by * read
192.168.1.1 is the ip address of "testldap2". Everytime a request from this ip occurs, the server should block the access to the (referral) object because it must be a "chained" request
But that doesn´t work. Also the parameter "chain-max-depth" seems not to work. I´m currently using OpenLDAP version 2.3.20 (but I also tried the latest one).
Not sure, I haven't tried and I'm writing it by heart, but you should probably add a "chain-acl-bind" instruction, whose syntax is almost the same as the chain-idassert-bind, except for the "mode" parameter that is not required (nor allowed).
p.
openldap-technical@openldap.org