Re: proxy ldap (back_ldap) with group ACL? [SOLVED]

Thu, 13 Feb 2020 06:38:13 -0800 

On 2/7/20 19:42, brent s. wrote:
> Hey, all!
(SNIP)
> 
> I get the error:
> 
> 
> 
> Feb 08 00:32:19 foo slapd[17600]: => acl_mask: access to entry
> "ou=groupname,dc=domain,dc=com", attr "entry" requested
> Feb 08 00:32:19 foo slapd[17600]: => acl_mask: to all values by
> "cn=username,dc=domain,dc=net", (=0)
> Feb 08 00:32:19 foo slapd[17600]: <= check a_group_pat:
> cn=groupadmins,ou=groups,dc=domain,dc=net
> Feb 08 00:32:19 foo slapd[17600]: =>ldap_back_getconn: conn
> 0x7f7700009ef0 fetched refcnt=1.
> Feb 08 00:32:19 foo slapd[17600]: Error: ldap_back_is_proxy_authz
> returned 0, misconfigured URI?
(SNIP)
> I'm fairly certain this is PEBKAC, but I'm unclear what's going on. Do I
> need to reference the group in the ACL explicitly with the LDAP URI
> prefixed or something?
> 

Update: this was indeed a PEBKAC. I'm not sure which exactly caused it,
but it is now working after:

1.) I added an appropriate TLS_CACERT to /etc/openldap/ldap.conf (is
this redundant with OLC? See #2 below) on the proxy and the target server.

2.) I changed cn=config?olcTLSCACertificateFile to match the value of #1
on the proxy and target server.

3.) The olcDatabase={3}ldap,cn=config entry now reads as such:

dn: olcDatabase={3}ldap,cn=config
objectClass: olcDatabaseConfig
objectClass: olcLDAPConfig
olcDatabase: {3}ldap
olcDbIDAssertBind: bindmethod=simple
 binddn="cn=proxyUser,dc=domain,dc=net"
 credentials=somePasswordHere
 starttls=critical
 tls_protocol_min=1.2
olcDbProtocolVersion: 3
olcDbProxyWhoAmI: TRUE
olcDbRebindAsUser: TRUE
olcDbSessionTrackingRequest: TRUE
olcDbStartTLS: propagate
olcDbURI: ldap://bar.domain.tld
olcReadOnly: TRUE
olcSuffix: dc=domain,dc=net


I can now both auth successfully as a bind DN located on
dc=domain,dc=net to dc=domain,dc=com AND use group-based ACL rules on
dc=domain,dc=com based on groups found on dc=domain,dc=net (after
appropriate ACL rules for reading those groups' membership were created
on dc=domain,dc=net for cn=proxyUser,dc=domain,dc=net).

Sorry for the noise!

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to