Re: [389-users] Chaining and LDAP_UNWILLING_TO_PERFORM problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Roberto Polli wrote:
hi all,

I got similar problem with: dblink+proxyuser.

Rich Megginson wrote:
Giovanni Mancuso wrote:
Bu if i try to execute the ldapserach in first directory server i have the
following error: proxy does not currently work with directory manager.
Directory manager is considered a "local" user to each directory server.
Try a different user. Now, i create a new user in first DS:

By first DS do you mean the DS with the "real" database or the DS with the
database link? We also refer to the DS with the "real" database as the
"remote" DS and the DS with the database link as the "local" DS.

case1)
* I bind with uid=admin to the local DS tree to modify the "givenName" of a user on the remote server * the modify is successful, as the uid=admin is proxied and the "uid=admin" is replicated on the remote server
case2)
* same as case1 but I try to modify "userPassword"
* the modify fails as the remote server won't evaluate aci on "uid=admin" but on "dn:proxyuser"
Is there an aci on the remote server that explicitly denies access to userPassword? How about on the local server?
Did you add an ACI to allow the uid=ttestuser,cn=config to add entries under
node=testgio,dc=example,dc=com ?
to solve that issue it seems by this thread that you suggest giving (proxy+all) access to proxyuser instead of the proxied one (uid=admin)

imho this won't fit, as every proxied user will be granted write access; while the desired behaviour is to have the aci checked against uid=admin
Am I wrong?
You should not have to allow the proxy user "all" access, only "proxy" access. The proxy user is not a "superuser". The access control should apply to the actual user.
Peace,
R.





<<attachment: smime.p7s>>

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux