On Thursday 23 July 2009 17:49:43 Rich Megginson wrote:
> Roberto Polli wrote:
> > hi all,
> >
> > I got similar problem with: dblink+proxyuser.
> >
> >> Rich Megginson wrote:
> >>> Giovanni Mancuso wrote:
> >>> Bu if i try to execute the ldapserach in first directory server i have
> >>> the following error: proxy does not currently work with directory
> >>> manager. Directory manager is considered a "local" user to each
> >>> directory server. Try a different user. Now, i create a new user in
> >>> first DS:
> >>
> >> By first DS do you mean the DS with the "real" database or the DS with
> >> the database link? We also refer to the DS with the "real" database as
> >> the "remote" DS and the DS with the database link as the "local" DS.
> >
> > case1)
> > * I bind with uid=admin to the local DS tree to modify the "givenName" of
> > a user on the remote server
> > * the modify is successful, as the uid=admin is proxied and the
> > "uid=admin" is replicated on the remote server
> >
> > case2)
> > * same as case1 but I try to modify "userPassword"
> > * the modify fails as the remote server won't evaluate aci on "uid=admin"
> > but on "dn:proxyuser"
>
> Is there an aci on the remote server that explicitly denies access to
> userPassword? How about on the local server?
nope: "deny" is never mentioned. nor in local and remote server
# for i in "" "uid=pluto,node=isola3," "node=isola3,"; do
ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci
done |grep -ci deny
0
acis on remote
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
allow (read, search, compare) userdn="ldap:///anyone";;) //INHERITED FROM
BASEDN
aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it";) (versi
on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co
nfig");) // INHERITED FROM node=isola3
acis on remote are the same:
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
allow (read, search, compare) userdn="ldap:///anyone";;) //INHERITED FROM
BASEDN
aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
> You should not have to allow the proxy user "all" access, only "proxy"
> access. The proxy user is not a "superuser". The access control should
> apply to the actual user.
so proxy access should be able to change userPassword...
do I have to set some custom settings in config (eg. plugins & co)
Peace,
R.
--
Roberto Polli
Babel S.r.l. - http://www.babel.it
Tel. +39.06.91801075 - fax +39.06.91612446
Tel. cel +39.340.6522736
P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma)
"Il seguente messaggio contiene informazioni riservate. Qualora questo
messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene
notizia a mezzo e-mail. Vi sollecitiamo altres? a distruggere il messaggio
erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto
della legge in materia di protezione dei dati personali."
