To summarize: you're saying that the "pseudorootdn" stuff no longer works in back-meta as of 2.3.20, correct? It may well be possible, as that area saw a lot of development recently. I suggest you file an ITS; can you design a very simple, self-contained example that shows the issue, just to ease tracking the issue? A one-target meta with as little ACL as possible should be fine.
p. > We generate /etc/passwd files from LDAP (no, I don't know why we simply > don't authenticate via LDAP) and so need read access to userPassword. > > Using the ACL: > > access to attrs=userPassword > by self =wx > by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=dev$" =w > by anonymous auth > > ensures they are unreadable for all except rootDN. > > 2.2.26 slapd.conf: > > uri "ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView" > rewriteEngine on > rewriteContext default > rewriteRule "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=com" ":" > rebind-as-user > binddn "cn=Manager,dc=au,dc=cordoors,dc=com" > bindpw "XXX" > > 2.3.20 slapd,conf: > > uri "ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView" > rewriteEngine on > rewriteContext default > rewriteRule "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=dev" ":" > rebind-as-user true > acl-authcDN "cn=Manager,dc=au,dc=cordoors,dc=dev" > acl-passwd "XXX" > pseudorootdn "cn=Manager,dc=au,dc=cordoors,dc=dev" > pseudorootpw "XXX" > > Search request: > > ldapsearch -W -b "dc=AdminView" -H "ldap://mippet"; -D > "cn=Manager,dc=au,dc=cordoors,dc=dev" > "(&(objectClass=ciEmployee)(uid=susanc))" uid userpassword > Enter LDAP Password: XXX > > Result: > > # susanc, stmarys, NSW, au.cordoors.dev > dn: uid=susanc,ou=stmarys,ou=NSW,dc=au,dc=cordoors,dc=dev > uid: susanc > > slapd.log: > > Mar 13 10:48:14 mippet slapd[8508]: conn=6 fd=58 ACCEPT from > IP=192.168.1.1:1949 (IP=0.0.0.0:389) > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 BIND > dn="cn=Manager,dc=au,dc=cordoors,dc=dev" method=128 > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 BIND > dn="cn=Manager,dc=au,dc=cordoors,dc=dev" mech=SIMPLE ssf=0 > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 RESULT tag=97 err=0 text= > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SRCH base="dc=AdminView" > scope=2 deref=0 filter="(&(objectClass=ciEmployee)(uid=susanc))" > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SRCH attr=uid userpassword > Mar 13 10:48:14 mippet slapd[8508]: conn=7 fd=60 ACCEPT from > PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi) > Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=0 BIND dn="" method=128 > Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=0 RESULT tag=97 err=0 text= > Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SRCH > base="dc=au,dc=cordoors,dc=dev" scope=2 deref=0 > filter="(&(objectClass=ciEmployee)(uid=susanc))" > Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SRCH attr=uid userpassword > Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=2 UNBIND > Mar 13 10:48:14 mippet slapd[8508]: conn=6 fd=58 closed > > This tells me two things: the rebind is performed anonymously, and no > apparent attempt is made to use "acl-authcDN" etc for an ACL check. I > longer have access to a 2.2.26 system, and the logs have long since > rotated. > > I'm fairly sure this used to work with 2.2.26 according to our staff, so > perhaps something got tightened up in 2.3.20? > > It's no big deal, as I can always retrieve the DN then repeat the search > with that DN as the base. > > -- > Dave Horsfall DTM VK2KFU [EMAIL PROTECTED] Ph: +61 2 9552-5509 (d) -5500 > (sw) > Corinthian Engrng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont > 2009, AU > Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
