[Date Prev][Date Next] [Chronological] [Thread] [Top]

memberOf search ACLs

To: openldap-technical@openldap.org
Subject: memberOf search ACLs
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 18 Jul 2008 18:46:30 +1000

I've recently been trying to lock down Samba4's default ACLs, in it's
generated LDAP backend configuration.

I have memberOf configured to 'error' on dangling links, which I need
for Samba.  

But I seem to be having some trouble with ACLs.  I've attached my full
config file, but the key part is:

access to dn.base="" 
       by dn=cn=samba-admin,cn=samba manage
       by anonymous read
       by * read

access to dn.subtree="cn=samba"
       by anonymous auth

access to dn.subtree="${DOMAINDN}"
       by dn=cn=samba-admin,cn=samba manage
       by * none

If I change the last line to 'by * read', then the error is returned,
but otherwise (due apparently to "" being unable to read the entry to
validate it's existence).

Shouldn't the search operations happen as the rootdn or memberof-dn, or
am I missing some other configuration element here?

In trying to fix this, I looked at what seemed to by typos in
memberof.c, the patch of which I attach, but this didn't help.

Any thoughts?

Thanks,

Andrew Bartlett
-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

loglevel 0

include /home/data/samba/git/samba/source/st/dc/private/ldap/backend-schema.schema

pidfile		/home/data/samba/git/samba/source/st/dc/private/ldap/slapd.pid
argsfile	/home/data/samba/git/samba/source/st/dc/private/ldap/slapd.args
sasl-realm samba.example.com

#authz-regexp
#          uid=([^,]*),cn=samba.example.com,cn=digest-md5,cn=auth
#          ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)

#authz-regexp
#          uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
#          ldap:///DC=samba,DC=example,DC=com??sub?(samAccountName=\$1)

authz-regexp
          uid=([^,]*),cn=([^,]*),cn=digest-md5,cn=auth
          ldap:///cn=samba??one?(cn=\$1)

authz-regexp
          uid=([^,]*),cn=([^,]*),cn=ntlm,cn=auth
          ldap:///cn=samba??one?(cn=\$1)

access to dn.base="" 
       by dn=cn=samba-admin,cn=samba manage
       by anonymous read
       by * read

access to dn.subtree="cn=samba"
       by anonymous auth

access to dn.subtree="DC=samba,DC=example,DC=com"
       by dn=cn=samba-admin,cn=samba manage
       by * none

password-hash   {CLEARTEXT}

include /home/data/samba/git/samba/source/st/dc/private/ldap/modules.conf

defaultsearchbase DC=samba,DC=example,DC=com

# Generated from schema in /home/data/samba/git/samba/source/st/dc/private/ldap/schema-tmp.ldb
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad member
memberof-memberof-ad memberOf
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-ObjectReference
memberof-memberof-ad msDS-ObjectReferenceBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad serverReference
memberof-memberof-ad serverReferenceBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad hasMasterNCs
memberof-memberof-ad masteredBy
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad siteObject
memberof-memberof-ad siteObjectBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msCOM-UserPartitionSetLink
memberof-memberof-ad msCOM-UserLink
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad bridgeheadTransportList
memberof-memberof-ad bridgeheadServerListBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad manager
memberof-memberof-ad directReports
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-hasMasterNCs
memberof-memberof-ad msDs-masteredBy
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad msDS-NonMembers
memberof-memberof-ad msDS-NonMembersBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad managedBy
memberof-memberof-ad managedObjects
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad queryPolicyObject
memberof-memberof-ad queryPolicyBL
memberof-dangling-error 32
overlay memberof
memberof-dn cn=samba-admin,cn=samba
memberof-dangling error
memberof-refint TRUE
memberof-group-oc top
memberof-member-ad nonSecurityMember
memberof-memberof-ad nonSecurityMemberBL
memberof-dangling-error 32
overlay refint
refint_attributes memberOf member msDS-ObjectReferenceBL msDS-ObjectReference serverReferenceBL serverReference masteredBy hasMasterNCs siteObjectBL siteObject msCOM-UserLink msCOM-UserPartitionSetLink bridgeheadServerListBL bridgeheadTransportList directReports manager msDs-masteredBy msDS-hasMasterNCs msDS-NonMembersBL msDS-NonMembers managedObjects managedBy queryPolicyBL queryPolicyObject nonSecurityMemberBL nonSecurityMember

database	ldif
suffix		cn=Samba
directory       /home/data/samba/git/samba/source/st/dc/private/ldap/db/samba


database        hdb
suffix		CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
rootdn          cn=Manager,CN=Schema,CN=Configuration,DC=samba,DC=example,DC=com
directory	/home/data/samba/git/samba/source/st/dc/private/ldap/db/schema
index           objectClass eq
index           samAccountName eq
index name eq
index objectCategory eq
index lDAPDisplayName eq
index subClassOf eq
index cn eq

#syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

database        hdb
suffix		CN=Configuration,DC=samba,DC=example,DC=com
rootdn          cn=Manager,CN=Configuration,DC=samba,DC=example,DC=com
directory	/home/data/samba/git/samba/source/st/dc/private/ldap/db/config
index           objectClass eq
index           samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index nCName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq

#syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

database        hdb
suffix		DC=samba,DC=example,DC=com
rootdn          cn=Manager,DC=samba,DC=example,DC=com
directory	/home/data/samba/git/samba/source/st/dc/private/ldap/db/user
index           objectClass eq
index           samAccountName eq
index name eq
index objectSid eq
index objectCategory eq
index member eq
index uidNumber eq
index gidNumber eq
index nCName eq
index lDAPDisplayName eq
index subClassOf eq
index dnsRoot eq
index nETBIOSName eq
index cn eq

#syncprov is stable in OpenLDAP 2.3, and available in 2.2.  
#We only need this for the contextCSN attribute anyway....
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100

Index: servers/slapd/overlays/memberof.c
===================================================================
RCS file: /repo/OpenLDAP/pkg/ldap/servers/slapd/overlays/memberof.c,v
retrieving revision 1.20
diff -u -r1.20 memberof.c
--- servers/slapd/overlays/memberof.c	1 Jul 2008 09:48:10 -0000	1.20
+++ servers/slapd/overlays/memberof.c	17 Jul 2008 23:52:15 -0000
@@ -571,7 +571,7 @@
 			&& is_entry_objectclass_or_sub( op->ora_e, mo->mo_oc_group ) )
 	{
 		op->o_dn = op->o_bd->be_rootdn;
-		op->o_dn = op->o_bd->be_rootndn;
+		op->o_ndn = op->o_bd->be_rootndn;
 		op->o_bd->bd_info = (BackendInfo *)on->on_info;
 
 		for ( ap = &op->ora_e->e_attrs; *ap; ) {
@@ -805,7 +805,7 @@
 			BerVarray	vals = NULL;
 
 			op->o_dn = op->o_bd->be_rootdn;
-			op->o_dn = op->o_bd->be_rootndn;
+			op->o_ndn = op->o_bd->be_rootndn;
 			op->o_bd->bd_info = (BackendInfo *)on->on_info;
 			rc = backend_attribute( op, NULL, &op->o_req_ndn,
 					mo->mo_ad_member, &vals, ACL_READ );
@@ -820,7 +820,7 @@
 				&& !get_relax( op ) )
 		{
 			op->o_dn = op->o_bd->be_rootdn;
-			op->o_dn = op->o_bd->be_rootndn;
+			op->o_ndn = op->o_bd->be_rootndn;
 			op->o_bd->bd_info = (BackendInfo *)on->on_info;
 		
 			assert( op->orm_modlist != NULL );

Attachment: signature.asc
Description: This is a digitally signed message part

Follow-Ups:
- Re: memberOf search ACLs
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: memberOf search ACLs
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: password changing problems
Next by Date: FAO: any OpenLDAP.org FAQ-O-Matic admins around
Index(es):
- Chronological
- Thread