Roberto Polli wrote:
On Thursday 23 July 2009 17:49:43 Rich Megginson wrote:Roberto Polli wrote:hi all, I got similar problem with: dblink+proxyuser.Rich Megginson wrote:Giovanni Mancuso wrote: Bu if i try to execute the ldapserach in first directory server i have the following error: proxy does not currently work with directory manager. Directory manager is considered a "local" user to each directory server. Try a different user. Now, i create a new user in first DS:By first DS do you mean the DS with the "real" database or the DS with the database link? We also refer to the DS with the "real" database as the "remote" DS and the DS with the database link as the "local" DS.case1) * I bind with uid=admin to the local DS tree to modify the "givenName" of a user on the remote server * the modify is successful, as the uid=admin is proxied and the "uid=admin" is replicated on the remote server case2) * same as case1 but I try to modify "userPassword" * the modify fails as the remote server won't evaluate aci on "uid=admin" but on "dn:proxyuser"Is there an aci on the remote server that explicitly denies access to userPassword? How about on the local server?nope: "deny" is never mentioned. nor in local and remote server # for i in "" "uid=pluto,node=isola3," "node=isola3,"; doldapsearch .. -b "${i}dc=babel,dc=it" -s base aci done |grep -ci deny0acis on remoteaci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";allow (read, search, compare) userdn="ldap:///anyone";;) //INHERITED FROM BASEDNaci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN aci: (targetattr = "*") (target = "ldap:///node=isola3,dc=babel,dc=it";) (versi on 3.0;acl "proxy3proxy";allow (proxy)(userdn = "ldap:///uid=proxyuser3,cn=co nfig");) // INHERITED FROM node=isola3 acis on remote are the same: aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous access";allow (read, search, compare) userdn="ldap:///anyone";;) //INHERITED FROM BASEDNaci: (targetattr = "*") (version 3.0;acl "SA administration";allow (all)(roled n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDNYou should not have to allow the proxy user "all" access, only "proxy" access. The proxy user is not a "superuser". The access control should apply to the actual user.so proxy access should be able to change userPassword...
Yes.
So the user uid=admin - is that the Directory Manager (rootdn)? If not, is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"? Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the local and remote servers?do I have to set some custom settings in config (eg. plugins & co)
Peace, R.
<<attachment: smime.p7s>>
-- 389 users mailing list 389-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
