Roberto Polli wrote:
Is there an aci on the remote server that explicitly denies access to userPassword? How about on the local server?hi all, I got similar problem with: dblink+proxyuser.Rich Megginson wrote:Giovanni Mancuso wrote: Bu if i try to execute the ldapserach in first directory server i have the following error: proxy does not currently work with directory manager. Directory manager is considered a "local" user to each directory server. Try a different user. Now, i create a new user in first DS:By first DS do you mean the DS with the "real" database or the DS with the database link? We also refer to the DS with the "real" database as the "remote" DS and the DS with the database link as the "local" DS.case1)* I bind with uid=admin to the local DS tree to modify the "givenName" of a user on the remote server * the modify is successful, as the uid=admin is proxied and the "uid=admin" is replicated on the remote servercase2) * same as case1 but I try to modify "userPassword"* the modify fails as the remote server won't evaluate aci on "uid=admin" but on "dn:proxyuser"
You should not have to allow the proxy user "all" access, only "proxy" access. The proxy user is not a "superuser". The access control should apply to the actual user.to solve that issue it seems by this thread that you suggest giving (proxy+all) access to proxyuser instead of the proxied one (uid=admin)Did you add an ACI to allow the uid=ttestuser,cn=config to add entries under node=testgio,dc=example,dc=com ?imho this won't fit, as every proxied user will be granted write access; while the desired behaviour is to have the aci checked against uid=adminAm I wrong?
Peace, R.
<<attachment: smime.p7s>>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users