Dieter Klünter <[email protected]> writes: > Am Mon, 29 Sep 2014 11:24:53 +0200 schrieb Ferenc Wagner <[email protected]>: > >> Dieter Klünter <[email protected]> writes: >> >>> Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner <[email protected]>: >>> >>>> Ferenc Wagner <[email protected]> writes: >>>> >>>>> I've got a partial syncrepl replica, which (among others) misses >>>>> the userPassword attributes of the provider database. I added a >>>>> pbind overlay to the replica, which forwards binds to the >>>>> provider, thus it became possible to do simple binds against the >>>>> replica. But access control on the replica does not honor these >>>>> binds properly: "by users" works, but "by self" does not. Before >>>>> I waste too much time debugging: is it supposed to work at all? >>>>> I tested this under 2.4.31 with: >>>>> >>>>> dn: olcDatabase={1}mdb,cn=config >>>>> olcAccess: to * by >>>>> dn.exact=gidNumber=119+uidNumber=116,cn=peercred,cn=external,cn=auth >>>>> read by self read by * none olcSyncrepl: rid=1 [...] >>>>> >>>>> The external auth part works, and if I replace self with users, >>>>> that works as well (but is not what I want). Do I expect too >>>>> much? >>>> >>>> Would anybody please provide some guidance on this problem? >>> >>> define an authorization regular expression in order to map sasl auth >>> string to a DN. >> >> The SASL auth part works as is, no problem with that, I included it >> only to keep the olcAccess attribute verbatim. But I'd like to get >> the "read by self" part work with simple binds. But these binds must >> be done through the pbind overlay, as userPassword in not >> replicated. Pbind works to some extent, as binding only succeeds >> with the correct password, but the "by self" selector does not fire, >> as if the remote and local DN were treated as different. Or is this >> what you imply, that I still need a mapping in this case? > > Define a DN in the access rules, as 'self' must match a DN.
I must be missing something, then... Isn't "to *" enough? It certainly works on the master, does pbind have extra requirements? -- Thanks, Feri.
