[389-users] Chain on Update: Proxy Auth Fails
Mrugesh Karnik
mrugeshkarnik at gmail.com
Thu Aug 20 07:40:42 UTC 2009
Hi all,
I've been trying to set up Chain on Update on CentOS DS 8.1. The master-slave
replication works. Search queries return data from the replicated database on
the slave perfectly.
When I send an update request, the slave binds with the master with the proper
credentials but the ACI evaluation fails on the master. From the ACI logs on
the master, it seems to me that the master evaluates the ACIs for the
multiplexor bind dn rather than for the original user identity. This leads me
to believe that somehow, proxy authentication is not happening. How do I solve
this problem?
In my setup,
Following is the suffix and db configuration on the slave:
# Suffix
dn: cn="ou=Roster,dc=example,dc=com",cn=mapping tree,cn=config
cn: "ou=Roster,dc=example,dc=com"
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: RosterData
nsslapd-backend: RosterDataChain
nsslapd-distribution-plugin: /usr/lib/dirsrv/plugins/libreplication-plugin.so
nsslapd-distribution-funct: repl_chain_on_update
nsslapd-parent-suffix: "dc=example,dc=com"
# Database
dn: cn=RosterData,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
nsslapd-suffix: ou=Roster,dc=example,dc=com
# Replica
dn: cn=replica,cn="ou=Roster,dc=example,dc=com",cn=mapping tree,cn=config
cn: replica
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
nsds5replicaroot: ou=Roster,dc=example,dc=com
nsds5replicaid: 21
nsds5replicatype: 2
nsds5flags: 0
nsds5ReplicaBindDN: cn=dirhost1.example.net,ou=Replication Managers,cn=config
nsds5ReplicaBindDN: cn=dirhost2.example.net,ou=Replication Managers,cn=config
# Chaining Database
dn: cn=RosterDataChain,cn=chaining database,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: RosterDataChain
nsslapd-suffix: ou=Roster,dc=example,dc=com
nsFarmServerUrl: ldap://dirhost1.example.net ldap://dirhost2.example.net
nsCheckLocalACI: on
nsUseStartTls: on
nsBindMethod:
nsMultiplexorBindDn: cn=dirslave1.example.net,ou=Replication
Managers,cn=config
nsMultiplexorCredentials: secret
I've tried with the following ACI combinations on ou=Roster,dc=example,dc=com
on dirhost1 and dirhost2
1>
aci: (targetattr="*") (version 3.0; acl "Proxy access for chain-on-update";
allow (proxy) userdn="ldap:///cn=dirslave1.example.net,ou=replication
managers,cn=config";)
2>
aci: (target=ldap:///uid=*,ou=Users,ou=Roster,dc=example,dc=com)(targetattr=*)
(version 3.0; acl "Proxy access for chain-on-update as normal users"; allow
(proxy) userdn="ldap:///cn=dirslave1.example.net,ou=Replication
Managers,cn=config";)
I see the following error in the ACI logs:
[20/Aug/2009:12:57:24 +051800] NSACLPlugin - conn=201 op=2 (main): Deny write
on
entry(uid=mrugesh.karnik,ou=users,ou=roster,dc=example,dc=com).attr(userPassword)
to cn=dirslave1.example.net,ou=replication managers,cn=config: no aci matched
the subject by aci(70): aciname= "Write access to personal info",
acidn="ou=users,ou=roster,dc=example,dc=com"
Thanks,
Mrugesh
P.S. The users can modify their own userpassword attribute properly.
More information about the Fedora-directory-users
mailing list