[389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

Thu Jul 23 16:59:21 UTC 2009

On Thursday 23 July 2009 17:49:43 Rich Megginson wrote:
> Roberto Polli wrote:
> > hi all,
> >
> > I got similar problem with: dblink+proxyuser.
> >
> >> Rich Megginson wrote:
> >>> Giovanni Mancuso wrote:
> >>> Bu if i try to execute the ldapserach in first directory server i have
> >>> the following error: proxy does not currently work with directory
> >>> manager. Directory manager is considered a "local" user to each
> >>> directory server. Try a different user. Now, i create a new user in
> >>> first DS:
> >>
> >> By first DS do you mean the DS with the "real" database or the DS with
> >> the database link? We also refer to the DS with the "real" database as
> >> the "remote" DS and the DS with the database link as the "local" DS.
> >
> > case1)
> > * I bind with uid=admin to the local DS tree to modify the "givenName" of
> > a user on the remote server
> > * the modify is successful, as the uid=admin is proxied and the
> > "uid=admin" is replicated on the remote server
> >
> > case2)
> > * same as case1 but I try to modify "userPassword"
> > * the modify fails as the remote server won't evaluate aci on "uid=admin"
> > but on "dn:proxyuser"
>
> Is there an aci on the remote server that explicitly denies access to
> userPassword?  How about on the local server?
nope: "deny" is never mentioned. nor in local and remote server

# for i in "" "uid=pluto,node=isola3,"  "node=isola3,"; do
	ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci 
done |grep -ci deny
0

acis on remote 

aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
 allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM 
BASEDN

aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
 n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN

aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it") (versi
 on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co
 nfig");) // INHERITED FROM node=isola3

acis on remote are the same:

aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
 allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM 
BASEDN

aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
 n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN

> You should not have to allow the proxy user "all" access, only "proxy"
> access.  The proxy user is not a "superuser".  The access control should
> apply to the actual user.
so proxy access should be able to change userPassword...
do I have to set some custom settings in config (eg. plugins & co)

Peace,
R.

-- 

Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)

"Il seguente messaggio contiene informazioni riservate. Qualora questo 
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene 
notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio 
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto 
della legge in materia di protezione dei dati personali."