I've recently been trying to lock down Samba4's default ACLs, in it's generated LDAP backend configuration. I have memberOf configured to 'error' on dangling links, which I need for Samba. But I seem to be having some trouble with ACLs. I've attached my full config file, but the key part is: access to dn.base="" by dn=cn=samba-admin,cn=samba manage by anonymous read by * read access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="${DOMAINDN}" by dn=cn=samba-admin,cn=samba manage by * none If I change the last line to 'by * read', then the error is returned, but otherwise (due apparently to "" being unable to read the entry to validate it's existence). Shouldn't the search operations happen as the rootdn or memberof-dn, or am I missing some other configuration element here? In trying to fix this, I looked at what seemed to by typos in memberof.c, the patch of which I attach, but this didn't help. Any thoughts? Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
loglevel 0 include /home/data/samba/git/samba/source/st/dc/private/ldap/backend-schema.schema pidfile /home/data/samba/git/samba/source/st/dc/private/ldap/slapd.pid argsfile /home/data/samba/git/samba/source/st/dc/private/ldap/slapd.args sasl-realm samba.example.com #authz-regexp # uid=([^,]*),cn=samba.example.com,cn=digest-md5,cn=auth # ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1) #authz-regexp # uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth # ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1) authz-regexp uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth ldap:///cn=samba??one?(cn=\$1) authz-regexp uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth ldap:///cn=samba??one?(cn=\$1) access to dn.base="" by dn=cn=samba-admin,cn=samba manage by anonymous read by * read access to dn.subtree="cn=samba" by anonymous auth access to dn.subtree="DC=samba,DC=example,DC=com" by dn=cn=samba-admin,cn=samba manage by * none password-hash {CLEARTEXT} include /home/data/samba/git/samba/source/st/dc/private/ldap/modules.conf defaultsearchbase DC=samba,DC=example,DC=com # Generated from schema in /home/data/samba/git/samba/source/st/dc/private/ldap/schema-tmp.ldb overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad member memberof-memberof-ad memberOf memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msDS-ObjectReference memberof-memberof-ad msDS-ObjectReferenceBL memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad serverReference memberof-memberof-ad serverReferenceBL memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad hasMasterNCs memberof-memberof-ad masteredBy memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad siteObject memberof-memberof-ad siteObjectBL memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msCOM-UserPartitionSetLink memberof-memberof-ad msCOM-UserLink memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad bridgeheadTransportList memberof-memberof-ad bridgeheadServerListBL memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad manager memberof-memberof-ad directReports memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msDS-hasMasterNCs memberof-memberof-ad msDs-masteredBy memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad msDS-NonMembers memberof-memberof-ad msDS-NonMembersBL memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad managedBy memberof-memberof-ad managedObjects memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad queryPolicyObject memberof-memberof-ad queryPolicyBL memberof-dangling-error 32 overlay memberof memberof-dn cn=samba-admin,cn=samba memberof-dangling error memberof-refint TRUE memberof-group-oc top memberof-member-ad nonSecurityMember memberof-memberof-ad nonSecurityMemberBL memberof-dangling-error 32 overlay refint refint_attributes memberOf member msDS-ObjectReferenceBL msDS-ObjectReference serverReferenceBL serverReference masteredBy hasMasterNCs siteObjectBL siteObject msCOM-UserLink msCOM-UserPartitionSetLink bridgeheadServerListBL bridgeheadTransportList directReports manager msDs-masteredBy msDS-hasMasterNCs msDS-NonMembersBL msDS-NonMembers managedObjects managedBy queryPolicyBL queryPolicyObject nonSecurityMemberBL nonSecurityMember database ldif suffix cn=Samba directory /home/data/samba/git/samba/source/st/dc/private/ldap/db/samba database hdb suffix CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com rootdn cn=Manager,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com directory /home/data/samba/git/samba/source/st/dc/private/ldap/db/schema index objectClass eq index samAccountName eq index name eq index objectCategory eq index lDAPDisplayName eq index subClassOf eq index cn eq #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 database hdb suffix CN=Configuration,DC=samba,DC=example,DC=com rootdn cn=Manager,CN=Configuration,DC=samba,DC=example,DC=com directory /home/data/samba/git/samba/source/st/dc/private/ldap/db/config index objectClass eq index samAccountName eq index name eq index objectSid eq index objectCategory eq index nCName eq index subClassOf eq index dnsRoot eq index nETBIOSName eq index cn eq #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 database hdb suffix DC=samba,DC=example,DC=com rootdn cn=Manager,DC=samba,DC=example,DC=com directory /home/data/samba/git/samba/source/st/dc/private/ldap/db/user index objectClass eq index samAccountName eq index name eq index objectSid eq index objectCategory eq index member eq index uidNumber eq index gidNumber eq index nCName eq index lDAPDisplayName eq index subClassOf eq index dnsRoot eq index nETBIOSName eq index cn eq #syncprov is stable in OpenLDAP 2.3, and available in 2.2. #We only need this for the contextCSN attribute anyway.... overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100
Index: servers/slapd/overlays/memberof.c =================================================================== RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/memberof.c,v retrieving revision 1.20 diff -u -r1.20 memberof.c --- servers/slapd/overlays/memberof.c 1 Jul 2008 09:48:10 -0000 1.20 +++ servers/slapd/overlays/memberof.c 17 Jul 2008 23:52:15 -0000 @@ -571,7 +571,7 @@ && is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) ) { op->o_dn = op->o_bd->be_rootdn; - op->o_dn = op->o_bd->be_rootndn; + op->o_ndn = op->o_bd->be_rootndn; op->o_bd->bd_info = (BackendInfo *)on->on_info; for ( ap = &op->ora_e->e_attrs; *ap; ) { @@ -805,7 +805,7 @@ BerVarray vals = NULL; op->o_dn = op->o_bd->be_rootdn; - op->o_dn = op->o_bd->be_rootndn; + op->o_ndn = op->o_bd->be_rootndn; op->o_bd->bd_info = (BackendInfo *)on->on_info; rc = backend_attribute( op, NULL, &op->o_req_ndn, mo->mo_ad_member, &vals, ACL_READ ); @@ -820,7 +820,7 @@ && !get_relax( op ) ) { op->o_dn = op->o_bd->be_rootdn; - op->o_dn = op->o_bd->be_rootndn; + op->o_ndn = op->o_bd->be_rootndn; op->o_bd->bd_info = (BackendInfo *)on->on_info; assert( op->orm_modlist != NULL );
Attachment:
signature.asc
Description: This is a digitally signed message part