[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Thu Jul 23 17:10:26 UTC 2009

Roberto Polli wrote:
> On Thursday 23 July 2009 17:49:43 Rich Megginson wrote:
>   
>> Roberto Polli wrote:
>>     
>>> hi all,
>>>
>>> I got similar problem with: dblink+proxyuser.
>>>
>>>       
>>>> Rich Megginson wrote:
>>>>         
>>>>> Giovanni Mancuso wrote:
>>>>> Bu if i try to execute the ldapserach in first directory server i have
>>>>> the following error: proxy does not currently work with directory
>>>>> manager. Directory manager is considered a "local" user to each
>>>>> directory server. Try a different user. Now, i create a new user in
>>>>> first DS:
>>>>>           
>>>> By first DS do you mean the DS with the "real" database or the DS with
>>>> the database link? We also refer to the DS with the "real" database as
>>>> the "remote" DS and the DS with the database link as the "local" DS.
>>>>         
>>> case1)
>>> * I bind with uid=admin to the local DS tree to modify the "givenName" of
>>> a user on the remote server
>>> * the modify is successful, as the uid=admin is proxied and the
>>> "uid=admin" is replicated on the remote server
>>>
>>> case2)
>>> * same as case1 but I try to modify "userPassword"
>>> * the modify fails as the remote server won't evaluate aci on "uid=admin"
>>> but on "dn:proxyuser"
>>>       
>> Is there an aci on the remote server that explicitly denies access to
>> userPassword?  How about on the local server?
>>     
> nope: "deny" is never mentioned. nor in local and remote server
>
> # for i in "" "uid=pluto,node=isola3,"  "node=isola3,"; do
> 	ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci 
> done |grep -ci deny
> 0
>
> acis on remote 
>
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
>  allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM 
> BASEDN
>
> aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
>  n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
>
> aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it") (versi
>  on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co
>  nfig");) // INHERITED FROM node=isola3
>
>
>
> acis on remote are the same:
>
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
>  allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM 
> BASEDN
>
> aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
>  n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
>
>
>   
>> You should not have to allow the proxy user "all" access, only "proxy"
>> access.  The proxy user is not a "superuser".  The access control should
>> apply to the actual user.
>>     
> so proxy access should be able to change userPassword...
>   
Yes.
> do I have to set some custom settings in config (eg. plugins & co)
>   
So the user uid=admin - is that the Directory Manager (rootdn)?  If not, 
is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the 
local and remote servers?


> Peace,
> R.
>
>   

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-directory-users/attachments/20090723/eeb892df/attachment.bin>