Am Mon, 29 Sep 2014 11:24:53 +0200 schrieb Ferenc Wagner <[email protected]>:
> Dieter Klünter <[email protected]> writes: > > > Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner > > <[email protected]>: > > > >> Ferenc Wagner <[email protected]> writes: > >> > >>> I've got a partial syncrepl replica, which (among others) misses > >>> the userPassword attributes of the provider database. I added a > >>> pbind overlay to the replica, which forwards binds to the > >>> provider, thus it became possible to do simple binds against the > >>> replica. But access control on the replica does not honor these > >>> binds properly: "by users" works, but "by self" does not. Before > >>> I waste too much time debugging: is it supposed to work at all? > >>> I tested this under 2.4.31 with: > >>> > >>> dn: olcDatabase={1}mdb,cn=config > >>> olcAccess: to * by > >>> dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth > >>> read by self read by * none olcSyncrepl: rid=1 [...] > >>> > >>> The external auth part works, and if I replace self with users, > >>> that works as well (but is not what I want). Do I expect too > >>> much? > >> > >> Would anybody please provide some guidance on this problem? > > > > define an authorization regular expression in order to map sasl auth > > string to a DN. > > The SASL auth part works as is, no problem with that, I included it > only to keep the olcAccess attribute verbatim. But I'd like to get > the "read by self" part work with simple binds. But these binds must > be done through the pbind overlay, as userPassword in not > replicated. Pbind works to some extent, as binding only succeeds > with the correct password, but the "by self" selector does not fire, > as if the remote and local DN were treated as different. Or is this > what you imply, that I still need a mapping in this case? Define a DN in the access rules, as 'self' must match a DN. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
