Roberto Polli wrote:
On Thursday 23 July 2009 17:49:43 Rich Megginson wrote:
> Roberto Polli wrote:
>
>> hi all,
>>
>> I got similar problem with: dblink+proxyuser.
>>
>>
>>> Rich Megginson wrote:
>>>
>>>> Giovanni Mancuso wrote:
>>>> Bu if i try to execute the ldapserach in first directory server i have
>>>> the following error: proxy does not currently work with directory
>>>> manager. Directory manager is considered a "local" user to
each
>>>> directory server. Try a different user. Now, i create a new user in
>>>> first DS:
>>>>
>>> By first DS do you mean the DS with the "real" database or the DS
with
>>> the database link? We also refer to the DS with the "real" database
as
>>> the "remote" DS and the DS with the database link as the
"local" DS.
>>>
>> case1)
>> * I bind with uid=admin to the local DS tree to modify the "givenName"
of
>> a user on the remote server
>> * the modify is successful, as the uid=admin is proxied and the
>> "uid=admin" is replicated on the remote server
>>
>> case2)
>> * same as case1 but I try to modify "userPassword"
>> * the modify fails as the remote server won't evaluate aci on
"uid=admin"
>> but on "dn:proxyuser"
>>
> Is there an aci on the remote server that explicitly denies access to
> userPassword? How about on the local server?
>
nope: "deny" is never mentioned. nor in local and remote server
# for i in "" "uid=pluto,node=isola3," "node=isola3,"; do
ldapsearch .. -b "${i}dc=babel,dc=it" -s base aci
done |grep -ci deny
0
acis on remote
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM
BASEDN
aci: (targetattr = "*") (version 3.0;acl "SA administration";allow
(all)(roled
n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
aci: (targetattr = "*") (target =
"ldap:///node=isola3,dc=babel,dc=it") (versi
on 3.0;acl "proxy3proxy";allow (proxy)(userdn =
"ldap:///uid=proxyuser3,cn=co
nfig");) // INHERITED FROM node=isola3
acis on remote are the same:
aci: (targetattr!="userPassword")(version 3.0; acl "Enable anonymous
access";
allow (read, search, compare) userdn="ldap:///anyone";) //INHERITED FROM
BASEDN
aci: (targetattr = "*") (version 3.0;acl "SA administration";allow
(all)(roled
n = "ldap:///cn=SA role,dc=babel,dc=it");) //INHERITED FROM BASEDN
> You should not have to allow the proxy user "all" access, only
"proxy"
> access. The proxy user is not a "superuser". The access control should
> apply to the actual user.
>
so proxy access should be able to change userPassword...
Yes.
do I have to set some custom settings in config (eg. plugins &
co)
So the user uid=admin - is that the Directory Manager (rootdn)? If not,
is it a member of roledn = "ldap:///cn=SA role,dc=babel,dc=it"?
Does roledn = "ldap:///cn=SA role,dc=babel,dc=it" exist on both the
local and remote servers?
Peace,
R.