[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4035) rootdn incorrect in cn=config backend/database

This is a multi-part message in MIME format.
--------------090007030100010708080707
Content-Type: text/plain; charset=ISO-8859-15; format=flowed
Content-Transfer-Encoding: 7bit

2.3.9: Agreed with Andreas, only I can actually change any cn=config
hierarchy attribute, even though i get the "insufficient access" denial.

Compile and access details attached.

--Tonni


-- 
Mail: tonye@billy.demon.nl
http://www.billy.demon.nl


--------------090007030100010708080707
Content-Type: text/plain;
 name="do-conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="do-conf"

CFLAGS="-O -g" \
        ./configure \
        --with-tls \
        --with-cyrus-sasl \
	--enable-accesslog \
	--enable-denyop \
	--enable-dyngroup \
	--enable-dynlist \
	--enable-lastmod \
	--enable-ppolicy \
	--enable-proxycache \
	--enable-refint \
	--enable-retcode \
	--enable-rwm \
	--enable-syncprov \
	--enable-translucent \
	--enable-unique \
	--enable-valsort \
	--enable-spasswd \
	--enable-ldap

make depend && make


--------------090007030100010708080707
Content-Type: text/plain;
 name="slapd.access"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="slapd.access"

# Sample access control policy:
#	Root DSE: allow anyone to read it
#	Subschema (sub)entry DSE: allow anyone to read it
#	Other DSEs:
#		Allow self write access
#		Allow authenticated users read access
#		Allow anonymous users to authenticate
#	Directives needed to implement policy:

# Subtypes of "name" (e.g. "cn" and "ou") with the
# option ";x-hidden" can be searched for/compared,
# but are not shown.  See slapd.access(5).

#attributeoptions x-hidden lang-
#access to attr=name;x-hidden by * search

access to dn.base=""
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read
  by * none

access to dn.base="cn=Subschema"
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by * read

access to dn.base="cn=config"
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by * read

access to dn.subtree="cn=config"
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by * read

access to dn.subtree="cn=monitor"
  by dn.exact=cn=admin,dc=billy,dc=demon,dc=nl write
  by * read

access to dn.base="cn=Subschema"
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read
  by * read

access to dn.subtree=dc=billy,dc=demon,dc=nl 
  attr=userPassword,sambaLMPassword,sambaNTPassword
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by self read
  by * auth
  by * none

# If the last attribute isn't search, SASL proxy auth is not possible
access to dn.subtree=cn=admin,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by anonymous search

access to dn.subtree=dc=billy,dc=demon,dc=nl
  attrs=AuthzTo
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read

access to dn=cn=privileged,ou=mailaliases,ou=groups,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * none

access to dn=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read

access to dn=cn=people,ou=groups,dc=billy,dc=demon,dc=nl
  attrs=objectclass,entry
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read

access to dn.subtree=cn=people,ou=groups,dc=billy,dc=demon,dc=nl
  attrs=objectclass,entry
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read
  by * none

access to dn.subtree=cn=people,ou=groups,dc=billy,dc=demon,dc=nl
  attrs=homePostalAddress,homePhone,mobile,mailHost,destinationIndicator
  by self write
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by dn.subtree=cn=people,ou=groups,dc=billy,dc=demon,dc=nl read
  by * none

access to dn.subtree=cn=people,ou=groups,dc=billy,dc=demon,dc=nl
  attrs=accountstatus,confirmtext,maildrop,mailbox,mailMessageStore
  attrs=shadowLastChange,shadowMin,shadowMax,shadowWarning,shadowInactive,shadowFlag,shadowExpire
  attrs=sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,sambaPwdLastSet
  attrs=sambaSID,sambaPrimaryGroupSID,sambaPasswordHistory,sambaKickoffTime
  attrs=sambaLogonHours,sambaLogonScript
  attrs=quota
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * none

access to dn=cn=people,ou=groups,dc=billy,dc=demon,dc=nl
  attrs=children
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read

access to dn=ou=contacts,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read

access to dn=ou=contacts,dc=billy,dc=demon,dc=nl
  attrs=children
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by * read

access to dn.subtree=ou=mailaliases,ou=groups,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by group=cn=peoplemanagers,ou=groups,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read
  by * none

access to dn.subtree=dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by peername.ip=127.0.0.1 read
  by peername.ip=192.168.0.2 read
  by peername.ip=192.168.0.3 read
  by sockurl.regex="^ldapi://.*$" read

# Samba 3

access to dn=ou=smb,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by dn=uid=root,ou=smb,dc=billy,dc=demon,dc=nl write
  by self read

access to dn=ou=users,ou=smb,dc=billy,dc=demon,dc=nl
  by dn=cn=admin,dc=billy,dc=demon,dc=nl write
  by dn=uid=root,ou=smb,dc=billy,dc=demon,dc=nl write
  by self write

# if no access controls are present, the default policy is:
#	Allow read by all
#
# rootdn can always write!



--------------090007030100010708080707--