Hi, I have some problems understanding strong binds and proxy authc with back-ldap. It seems that back-ldap is not passing the bind credentials to the remote server, thus only an anonymous bind is enforced. On the other hand, a ldapwhoami results in success
,----[ ldapwhoami on back-ldap ] | ldapwhoami -Y digest-md5 -U dieter -w secret -H ldap://localhost:9004 | SASL/DIGEST-MD5 authentication started | SASL username: dieter | SASL SSF: 128 | SASL data security layer installed. | dn:cn=dieter kluenter,ou=partner,dc=dkluenter,dc=de `---- while a ldapsearch results in no success ldapsearch -Y digest-md5 -Udieter -w pfeife -H ldap://localhost:9004 -b dc=dkluenter,dc=de -s sub sn=las* mail telephonenumber ,----[ log with loglevel acl ] | Slapd[7050]: => Acl_Mask: Access To Entry "Cn=Deszo | Laszlo,Ou=Adressbuch,O=Avci,C=De", Attr "Sn" Requested | Slapd[7050]: => Acl_Mask: To All Values By "", (=0) | Slapd[7050]: <= Check A_Dn_Pat: Cn=Admanager,O=Avci,C=De | Slapd[7050]: <= Check A_Dn_Pat: Users | Slapd[7050]: <= Acl_Mask: No More <Who> Clauses, Returning =0 (Stop) | Slapd[7050]: => Slap_Access_Allowed: Search Access Denied By =0 | Slapd[7050]: => Access_Allowed: No More Rules `---- the back-ldap configuration, ,----[ back-ldap slapd.conf ] | ..... | modulepath /opt/openldap/libexec/openldap | moduleload back_meta.la | moduleload back_ldap.la | moduleload pcache.la | moduleload rwm.la | authz-regexp uid=(.*),cn=.*,cn=auth | ldap:///dc=dkluenter,dc=de??sub?uid=$1 | | access to * by * read | database ldap | suffix dc=dkluenter,dc=de | rootdn cn=admin,dc=dkluenter,dc=de | uri ldap://localhost:389 | acl-bind | bindmethod=sasl | saslmech=digest-md5 | authcId=admanager | credentials=mailer | #idassert-authzFrom dn.regex:cn=(.*),ou=(*)?dc=dkluenter,dc=de | idassert-bind | bindmethod=sasl | saslmech=digest-md5 | authzId=u:admanager | authz=native | credentials=mailer | proxy-whoami yes | overlay rwm | rwm-rewriteEngine on | rwm-suffixmassage "dc=dkluenter,dc=de" "o=avci,c=de" | overlay pcache | proxycache bdb 10000 22 50 3600 | proxycachequeries 10000 | proxyattrset 0 mail telephonenumber | proxyattrset 1 mobile homephone | proxytemplate (sn=) 0 3600 | proxytemplate (cn=) 1 3600 | directory /opt/openldap/var/cache | cachesize 1000 | dbconfig set_cachesize 0 1048576 0 | index objectClass,queryid eq | index telephonenumber pres,eq | index cn,sn,mail pres,eq,sub | # | database monitor `---- the relevant access rules on the remote server ,----[ slapd.conf access rules ] | access to dn.subtree="ou=adressbuch,o=avci,c=de" | by dn.exact="cn=adManager,o=avci,c=de" write | by users read `---- Not to mention that the same search operation on the remote server is successful -Dieter -- Dieter Klünter | Systemberatung http://www.dkluenter.de GPG Key ID:8EF7B6C6
