Hello list,
I'm using translucent in a local server. That same server also has an extra local database, which is a local only branch of the remote database. This database is a subordinate and they glue together well. Now, for the sake of management, i need to be able to identify to the local database (rootdn) but using credentials from the remote database. Assuming one has
translucent to remote - dc=example,dc=com with remote admin user cn=admin,dc=example,dc=com
local - ou=localbranch,dc=example,dc=com with rootdn admin user cn=admin,ou=localbranch,dc=example,dc=com
I tried the follwing on the local server
database hdb suffix "ou=localbranch,dc=example,dc=com" rootdn "cn=admin,ou=localbranch,dc=example,dc=com" rootpw "secret" directory "/var/lib/ldap/ou=localbranch,dc=example,dc=com" index objectClass,sambaSID eq lastmod on
authz-regexp "cn=admin,dc=example,dc=com" "cn=admin,ou=localbranch,dc=example,dc=com"
access to dn.base="ou=localbranch,dc=example,dc=com" by * read
access to * by dn="cn=admin,ou=localbranch,dc=example,dc=com" write by dn="cn=admin,dc=example,dc=com" write by * read
subordinate
The credentials used to connect to the remote server have full read only access to the remote database.
So the problem is that when i try to authenticate using cn=admin,dc=example,dc=com, to the local database branch, i can see the bind request being transluced to the remote server without using the authz-regexp map.
Any advice is appreciated,
Hugo Monteiro.
Hugo,
Hugo Monteiro schrieb am 23.02.2011 13:22 Uhr:
I'm using translucent in a local server. That same server also has an extra local database, which is a local only branch of the remote database. This database is a subordinate and they glue together well. Now, for the sake of management, i need to be able to identify to the local database (rootdn) but using credentials from the remote database. Assuming one has
translucent to remote - dc=example,dc=com with remote admin user cn=admin,dc=example,dc=com
local - ou=localbranch,dc=example,dc=com with rootdn admin user cn=admin,ou=localbranch,dc=example,dc=com
I tried the follwing on the local server
database hdb suffix "ou=localbranch,dc=example,dc=com" rootdn "cn=admin,ou=localbranch,dc=example,dc=com" rootpw "secret"
Have you tried
database hdb suffix "ou=localbranch,dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com"
? Where cn=admin,dc=example,dc=com is a valid object you can bind to. You cannot have rootpw here, because "The password can only be set if the rootdn is within the namingContext (suffix) of the database." man slapd.conf
Marc
Hello Mark,
On 02/23/2011 03:37 PM, Marc Patermann wrote:
Hugo,
Hugo Monteiro schrieb am 23.02.2011 13:22 Uhr:
I'm using translucent in a local server. That same server also has an extra local database, which is a local only branch of the remote database. This database is a subordinate and they glue together well. Now, for the sake of management, i need to be able to identify to the local database (rootdn) but using credentials from the remote database. Assuming one has
translucent to remote - dc=example,dc=com with remote admin user cn=admin,dc=example,dc=com
local - ou=localbranch,dc=example,dc=com with rootdn admin user cn=admin,ou=localbranch,dc=example,dc=com
I tried the follwing on the local server
database hdb suffix "ou=localbranch,dc=example,dc=com" rootdn "cn=admin,ou=localbranch,dc=example,dc=com" rootpw "secret"
Have you tried
Now i have. :)
database hdb suffix "ou=localbranch,dc=example,dc=com" rootdn "cn=admin,dc=example,dc=com"
? Where cn=admin,dc=example,dc=com is a valid object you can bind to. You cannot have rootpw here, because "The password can only be set if the rootdn is within the namingContext (suffix) of the database." man slapd.conf
Marc
Yes, i read about the naming context restrictions and wrongfully understood that it would apply to the rootdn/rootpw pair. Your suggestion did the trick. And it was so simple i can't help feeling a bit of shame.. Thanks!
My Best Regards,
Hugo Monteiro.
openldap-technical@openldap.org
-
Hugo Monteiro -
Marc Patermann