Hey, all!
First, a BIG thank you to both JoBbZ and tarpman in #openldap, they've got me this far (p.s. JoBbZ- switched over to the symas packages for my test env, replacement was more or less seamless. need to schedule some downtime for prod, but thanks for passing that along!)
However, I'm not at a standstill.
I'm using the OLC config (...I guess that's like saying "PIN number").
I have two servers, foo.domain.tld and bar.domain.tld. foo.domain.tld has DSA of dc=domain,dc=com and bar.domain.tld has a DSA of dc=domain,dc=net.
I can successfully auth as e.g. cn=username,dc=domain,dc=net to foo.domain.tld using the following configuration (at olcDatabase={3}ldap,cn=config):
dn: olcDatabase={3}ldap,cn=config objectClass: olcLDAPConfig objectClass: olcDatabaseConfig olcDatabase: {3}ldap olcDbIDAssertAuthzFrom: {0}"dn:*" olcDbIDAssertBind: mode=self olcDbRebindAsUser: TRUE olcDbSessionTrackingRequest: TRUE olcDbStartTLS: start olcDbURI: ldap://bar.domain.tld olcReadOnly: TRUE olcSuffix: dc=domain,dc=net
However, when I attempt to e.g. implement the following ACL on foo.domain.tld:
{2}to dn.exact="ou=groupname,dc=domain,dc=com" attrs=children (...) by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage by * none
I get the error:
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry "ou=groupname,dc=domain,dc=com", attr "entry" requested Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by "cn=username,dc=domain,dc=net", (=0) Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat: cn=groupadmins,ou=groups,dc=domain,dc=net Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn 0x7f7700009ef0 fetched refcnt=1. Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
(it is a given that cn=username,dc=domain,dc=net is indeed a member ("member" attribute) of the groupOfNames object cn=GroupAdmins,dc=domain,dc=net and additionally, the cn=username,dc=domain,dc=net object has the "memberOf" attribute "cn=GroupAdmins,dc=domain,dc=net")
I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I need to reference the group in the ACL explicitly with the LDAP URI prefixed or something?
On 2/7/20 19:42, brent s. wrote:
{2}to dn.exact="ou=groupname,dc=domain,dc=com" attrs=children (...) by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage by * none
I get the error:
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry "ou=groupname,dc=domain,dc=com", attr "entry" requested Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by "cn=username,dc=domain,dc=net", (=0) Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat: cn=groupadmins,ou=groups,dc=domain,dc=net Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn 0x7f7700009ef0 fetched refcnt=1. Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
(it is a given that cn=username,dc=domain,dc=net is indeed a member ("member" attribute) of the groupOfNames object cn=GroupAdmins,dc=domain,dc=net and additionally, the cn=username,dc=domain,dc=net object has the "memberOf" attribute "cn=GroupAdmins,dc=domain,dc=net")
Sorry, borked the scrubbing.
Correction: the above ACL line and references to it should be:
by group.exact="cn=GroupAdmins,ou=Groups,dc=domain,dc=net" manage
(as reflected in the log entries), not:
by group.exact="cn=GroupAdmins,dc=domain,dc=net" manage
On 2/7/20 19:42, brent s. wrote:
Hey, all!
(SNIP)
I get the error:
Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry "ou=groupname,dc=domain,dc=com", attr "entry" requested Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by "cn=username,dc=domain,dc=net", (=0) Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat: cn=groupadmins,ou=groups,dc=domain,dc=net Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn 0x7f7700009ef0 fetched refcnt=1. Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz returned 0, misconfigured URI?
(SNIP)
I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I need to reference the group in the ACL explicitly with the LDAP URI prefixed or something?
Update: this was indeed a PEBKAC. I'm not sure which exactly caused it, but it is now working after:
1.) I added an appropriate TLS_CACERT to /etc/openldap/ldap.conf (is this redundant with OLC? See #2 below) on the proxy and the target server.
2.) I changed cn=config?olcTLSCACertificateFile to match the value of #1 on the proxy and target server.
3.) The olcDatabase={3}ldap,cn=config entry now reads as such:
dn: olcDatabase={3}ldap,cn=config objectClass: olcDatabaseConfig objectClass: olcLDAPConfig olcDatabase: {3}ldap olcDbIDAssertBind: bindmethod=simple binddn="cn=proxyUser,dc=domain,dc=net" credentials=somePasswordHere starttls=critical tls_protocol_min=1.2 olcDbProtocolVersion: 3 olcDbProxyWhoAmI: TRUE olcDbRebindAsUser: TRUE olcDbSessionTrackingRequest: TRUE olcDbStartTLS: propagate olcDbURI: ldap://bar.domain.tld olcReadOnly: TRUE olcSuffix: dc=domain,dc=net
I can now both auth successfully as a bind DN located on dc=domain,dc=net to dc=domain,dc=com AND use group-based ACL rules on dc=domain,dc=com based on groups found on dc=domain,dc=net (after appropriate ACL rules for reading those groups' membership were created on dc=domain,dc=net for cn=proxyUser,dc=domain,dc=net).
Sorry for the noise!
openldap-technical@openldap.org
-
brent s.