6:22 a.m.
Hi All,
I've Jasig CAS connected to OpenLDAP for users authentication.
My LDAP Schema is the following:
dc=com
dc=companyA,dc=com
ou=user,dc=companyA,dc=com
dc=companyB,dc=com
ou=user,dc=companyB,dc=com
I would like to give to a specific user
(cn=admin,ou=user,dc=companyB,dc=com)
the ability to create inetOrgPerson objetcs under ou=user,dc=companyA,dc=com
and the restriction to have only search access to
ou=user,dc=companyB,dc=com where actually some attributes should be hidden
(such as userPassword).
I tried several ACL but always with one strange problem: a user is able to
login via CAS. Then, he/she logouts and if try with a different account
then LDAP returns DN_RESOLUTION_FAILURE.
That issue is occurring even with a simple ACL such as:
access to *
by self write
by anonymous auth
by users search
The only way to workaround that issue is removing any ACL or leaving "by
users read".
As DN bind I'm using dc=com.
Any suggestion? I cannot understand if focusing on CAS for this issue, or
ACL LDAP side.
Thanks a LOT for the support!
Simone
3:52 p.m.
Simone Taliercio wrote:
access to *
by self write
by anonymous auth
by users search
The only way to workaround that issue is removing any ACL or leaving "by users
read".
Looking at the ACL above you likely run into a misunderstanding.
You should carefully read slapd.access(5). Especially the very important
section "THE ACCESS DIRECTIVE" describes significance of order of <what>
and
<who> clauses and that the checking stops at the first matching <what> and
<who> clause (if control flow is not explicitly redirected).
Given the example above you might rather want this:
access to *
by self write
by users search
by * auth
YMMV.
Also it's very handy to run slapd -d stats,acl [..other params..] to get ACL
debugging displayed on console.
Ciao, Michael.
3:41 a.m.
Hi Michael,
Thanks for your support. I also realize my misunderstanding, but it was not
enough.
What really did the trick was to disable the "pooled bind" and "pooled
search" on the CAS side (deployerConfigContext.xml).
Today and tomorrow we will test the new configuration.
Fingers crossed!
Simone
2015-08-20 0:52 GMT+02:00 Michael Ströder <michael(a)stroeder.com>:
Simone Taliercio wrote:
> access to *
> by self write
> by anonymous auth
> by users search
>
> The only way to workaround that issue is removing any ACL or leaving "by
users
> read".
Looking at the ACL above you likely run into a misunderstanding.
You should carefully read slapd.access(5). Especially the very important
section "THE ACCESS DIRECTIVE" describes significance of order of <what>
and
<who> clauses and that the checking stops at the first matching <what> and
<who> clause (if control flow is not explicitly redirected).
Given the example above you might rather want this:
access to *
by self write
by users search
by * auth
YMMV.
Also it's very handy to run slapd -d stats,acl [..other params..] to get
ACL
debugging displayed on console.
Ciao, Michael.
2845
days inactive
2846
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Michael Ströder -
Simone Taliercio