[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

[Roberto Polli]

hi all,

I got similar problem with: dblink+proxyuser.

>Rich Megginson wrote:
>>Giovanni Mancuso wrote:
>>Bu if i try to execute the ldapserach in first directory server i have the
>> following error: proxy does not currently work with directory manager.
>> Directory manager is considered a "local" user to each directory server.
>> Try a different user. Now, i create a new user in first DS:

>By first DS do you mean the DS with the "real" database or the DS with the
> database link? We also refer to the DS with the "real" database as the
> "remote" DS and the DS with the database link as the "local" DS.

case1)
* I bind with uid=admin to the local DS tree to modify the "givenName" of a 
user on the remote server
* the modify is successful, as the uid=admin is proxied and the "uid=admin" is 
replicated on the remote server 

case2)
* same as case1 but I try to modify "userPassword"
* the modify fails as the remote server won't evaluate aci on "uid=admin" but 
on "dn:proxyuser"

>Did you add an ACI to allow the uid=ttestuser,cn=config to add entries under
> node=testgio,dc=example,dc=com ?
to solve that issue it seems by this thread that you suggest giving 
(proxy+all) access to proxyuser instead of the proxied one (uid=admin)

imho this won't fit, as every proxied user will be granted write access; while 
the desired behaviour is to have the aci checked against uid=admin 

Am I wrong?

Peace,
R.




-- 

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo 
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene 
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio 
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto 
della legge in materia di protezione dei dati personali."