Roberto Polli wrote:
> On Thursday 23 July 2009 17:49:43 Rich Megginson wrote:
>
>> Roberto Polli wrote:
>>
>>> hi all,
>>>
>>> I got similar problem with: dblink+proxyuser.
>>>
>>>
>>>> Rich Megginson wrote:
>>>>
>>>>> Giovanni Mancuso wrote:
>>>>> Bu if i try to execute the ldapserach in first directory server i have
>>>>> the following error: proxy does not currently work with directory
>>>>> manager. Directory manager is considered a "local" user to each
>>>>> directory server. Try a different user. Now, i create a new user in
>>>>> first DS:
>>>>>
>>>> By first DS do you mean the DS with the "real" database or the DS with
>>>> the database link? We also refer to the DS with the "real" database as
>>>> the "remote" DS and the DS with the database link as the "local" DS.
>>>>
>>> case1)
>>> * I bind with uid=admin to the local DS tree to modify the "givenName" of
>>> a user on the remote server
>>> * the modify is successful, as the uid=admin is proxied and the
>>> "uid=admin" is replicated on the remote server
>>>
>>> case2)
>>> * same as case1 but I try to modify "userPassword"
>>> * the modify fails as the remote server won't evaluate aci on "uid=admin"
>>> but on "dn:proxyuser"
>>>
>> Is there an aci on the remote server that explicitly denies access to
>> userPassword? How about on the local server?
>>
> nope: "deny" is never mentioned. nor in local and remote server
>
> # for i in "" "uid=pluto,node=isola3," "node=isola3,"; do
> ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci
> done |grep -ci deny
> 0
>
> acis on remote
>
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
> allow (read, search, compare) userdn="ldap:///anyone";;) //INHERITED FROM
> BASEDN
>
> aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
> n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
>
> aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it";) (versi
> on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co
> nfig");) // INHERITED FROM node=isola3
>
>
>
> acis on remote are the same:
>
> aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";
> allow (read, search, compare) userdn="ldap:///anyone";;) //INHERITED FROM
> BASEDN
>
> aci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled
> n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
>
>
>
>> You should not have to allow the proxy user "all" access, only "proxy"
>> access. The proxy user is not a "superuser". The access control should
>> apply to the actual user.
>>
> so proxy access should be able to change userPassword...
>
Yes.
> do I have to set some custom settings in config (eg. plugins & co)
>
So the user uid=admin - is that the Directory Manager (rootdn)? If not,
is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the
local and remote servers?
> Peace,
> R.
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3258 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.fedoraproject.org/pipermail/389-users/attachments/20090723/eeb892df/attachment.bin
