Chain on Update: Proxy Auth Fails

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all,

I've been trying to set up Chain on Update on CentOS DS 8.1. The master-slave 
replication works. Search queries return data from the replicated database on 
the slave perfectly.

When I send an update request, the slave binds with the master with the proper 
credentials but the ACI evaluation fails on the master. From the ACI logs on 
the master, it seems to me that the master evaluates the ACIs for the 
multiplexor bind dn rather than for the original user identity. This leads me 
to believe that somehow, proxy authentication is not happening. How do I solve 
this problem?

In my setup, 

Following is the suffix and db configuration on the slave:

# Suffix
dn: cn="ou=Roster,dc=example,dc=com",cn=mapping tree,cn=config
cn: "ou=Roster,dc=example,dc=com"
objectClass: top
objectClass: extensibleObject
objectClass: nsMappingTree
nsslapd-state: backend
nsslapd-backend: RosterData
nsslapd-backend: RosterDataChain
nsslapd-distribution-plugin: /usr/lib/dirsrv/plugins/libreplication-plugin.so
nsslapd-distribution-funct: repl_chain_on_update
nsslapd-parent-suffix: "dc=example,dc=com"

# Database
dn: cn=RosterData,cn=ldbm database,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
nsslapd-suffix: ou=Roster,dc=example,dc=com

# Replica
dn: cn=replica,cn="ou=Roster,dc=example,dc=com",cn=mapping tree,cn=config
cn: replica
objectClass: top
objectClass: nsds5replica
objectClass: extensibleObject
nsds5replicaroot: ou=Roster,dc=example,dc=com
nsds5replicaid: 21
nsds5replicatype: 2
nsds5flags: 0
nsds5ReplicaBindDN: cn=dirhost1.example.net,ou=Replication Managers,cn=config
nsds5ReplicaBindDN: cn=dirhost2.example.net,ou=Replication Managers,cn=config

# Chaining Database
dn: cn=RosterDataChain,cn=chaining database,cn=plugins,cn=config
changetype: add
objectClass: top
objectClass: extensibleObject
objectClass: nsBackendInstance
cn: RosterDataChain
nsslapd-suffix: ou=Roster,dc=example,dc=com
nsFarmServerUrl: ldap://dirhost1.example.net ldap://dirhost2.example.net
nsCheckLocalACI: on
nsUseStartTls: on
nsBindMethod: 
nsMultiplexorBindDn: cn=dirslave1.example.net,ou=Replication 
Managers,cn=config
nsMultiplexorCredentials: secret

I've tried with the following ACI combinations on ou=Roster,dc=example,dc=com 
on dirhost1 and dirhost2

1>
aci: (targetattr="*") (version 3.0; acl "Proxy access for chain-on-update"; 
allow (proxy) userdn="ldap:///cn=dirslave1.example.net,ou=replication 
managers,cn=config";)

2>
aci: (target=ldap:///uid=*,ou=Users,ou=Roster,dc=example,dc=com)(targetattr=*) 
(version 3.0; acl "Proxy access for chain-on-update as normal users"; allow 
(proxy) userdn="ldap:///cn=dirslave1.example.net,ou=Replication 
Managers,cn=config";)

I see the following error in the ACI logs:

[20/Aug/2009:12:57:24 +051800] NSACLPlugin - conn=201 op=2 (main): Deny write 
on 
entry(uid=mrugesh.karnik,ou=users,ou=roster,dc=example,dc=com).attr(userPassword) 
to cn=dirslave1.example.net,ou=replication managers,cn=config: no aci matched 
the subject by aci(70): aciname= "Write access to personal info", 
acidn="ou=users,ou=roster,dc=example,dc=com"

Thanks,
Mrugesh

P.S. The users can modify their own userpassword attribute properly.

--
389 users mailing list
389-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users

[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux