Hi all,
I've been trying to set up Chain on Update on CentOS DS 8.1. The master-slave replication works. Search queries return data from the replicated database on the slave perfectly.
When I send an update request, the slave binds with the master with the proper credentials but the ACI evaluation fails on the master. From the ACI logs on the master, it seems to me that the master evaluates the ACIs for the multiplexor bind dn rather than for the original user identity. This leads me to believe that somehow, proxy authentication is not happening. How do I solve this problem?
In my setup,
Following is the suffix and db configuration on the slave:
# Suffix dn: cn="ou=Roster,dc=example,dc=com",cn=mapping tree,cn=config cn: "ou=Roster,dc=example,dc=com" objectClass: top objectClass: extensibleObject objectClass: nsMappingTree nsslapd-state: backend nsslapd-backend: RosterData nsslapd-backend: RosterDataChain nsslapd-distribution-plugin: /usr/lib/dirsrv/plugins/libreplication-plugin.so nsslapd-distribution-funct: repl_chain_on_update nsslapd-parent-suffix: "dc=example,dc=com"
# Database dn: cn=RosterData,cn=ldbm database,cn=plugins,cn=config objectClass: top objectClass: extensibleObject objectClass: nsBackendInstance nsslapd-suffix: ou=Roster,dc=example,dc=com
# Replica dn: cn=replica,cn="ou=Roster,dc=example,dc=com",cn=mapping tree,cn=config cn: replica objectClass: top objectClass: nsds5replica objectClass: extensibleObject nsds5replicaroot: ou=Roster,dc=example,dc=com nsds5replicaid: 21 nsds5replicatype: 2 nsds5flags: 0 nsds5ReplicaBindDN: cn=dirhost1.example.net,ou=Replication Managers,cn=config nsds5ReplicaBindDN: cn=dirhost2.example.net,ou=Replication Managers,cn=config
# Chaining Database dn: cn=RosterDataChain,cn=chaining database,cn=plugins,cn=config changetype: add objectClass: top objectClass: extensibleObject objectClass: nsBackendInstance cn: RosterDataChain nsslapd-suffix: ou=Roster,dc=example,dc=com nsFarmServerUrl: ldap://dirhost1.example.net ldap://dirhost2.example.net nsCheckLocalACI: on nsUseStartTls: on nsBindMethod: nsMultiplexorBindDn: cn=dirslave1.example.net,ou=Replication Managers,cn=config nsMultiplexorCredentials: secret
I've tried with the following ACI combinations on ou=Roster,dc=example,dc=com on dirhost1 and dirhost2
1> aci: (targetattr="*") (version 3.0; acl "Proxy access for chain-on-update"; allow (proxy) userdn="ldap:///cn=dirslave1.example.net,ou=replication managers,cn=config";)
2> aci: (target=ldap:///uid=*,ou=Users,ou=Roster,dc=example,dc=com)(targetattr=*) (version 3.0; acl "Proxy access for chain-on-update as normal users"; allow (proxy) userdn="ldap:///cn=dirslave1.example.net,ou=Replication Managers,cn=config";)
I see the following error in the ACI logs:
[20/Aug/2009:12:57:24 +051800] NSACLPlugin - conn=201 op=2 (main): Deny write on entry(uid=mrugesh.karnik,ou=users,ou=roster,dc=example,dc=com).attr(userPassword) to cn=dirslave1.example.net,ou=replication managers,cn=config: no aci matched the subject by aci(70): aciname= "Write access to personal info", acidn="ou=users,ou=roster,dc=example,dc=com"
Thanks, Mrugesh
P.S. The users can modify their own userpassword attribute properly.
On Thursday 20 Aug 2009 13:10:42 Mrugesh Karnik wrote:
When I send an update request, the slave binds with the master with the proper credentials but the ACI evaluation fails on the master. From the ACI logs on the master, it seems to me that the master evaluates the ACIs for the multiplexor bind dn rather than for the original user identity. This leads me to believe that somehow, proxy authentication is not happening. How do I solve this problem?
Upon further investigation, it turns out that chain on update works perfectly for attributes other than userPassword. For userPassword, the nsmultiplexorbinddn is directly considered for aci evaluation rather than the proxy bind dn.
Any takers?
Thanks, Mrugesh
389-users@lists.fedoraproject.org