[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OpenLDAP security woes.
On Mon, 15 May 2000, Kurt D. Zeilenga wrote:
> Date: Mon, 15 May 2000 07:27:15 -0700
> From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
> To: mark@ferraretto.com
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: OpenLDAP security woes.
>
> At 12:05 PM 5/15/00 +0930, Mark Ferraretto wrote:
> >***** Issue number 1 *****
> >Now, I want to set up OpenLDAP's security so that I can allow only the
> >owner of the ou access to their private space and no-one else (except the
> >manager). To do this, I've got the following declarations in slapd.conf:
> >
> >defaultaccess none
> >access to attr=userpassword by self write by * none
> >access to dn="*,ou=private,dc=ferraretto,dc=com" by dnattr=owner write by
> >self write by * none
>
> Your second access directive DN clause is defective. You
> likely meant dn=".*,ou=private,dc=ferraretto,dc=com".
>
Did this. Still no banana.
Here's an extract from running the server with -d 255. This is when kldap
is trying to bind as
ou=mferrare, ou=PDS, dc=ferraretto, dc=com.
ou=mferrare owns all the entries in the ou. It has a userpassword field
and each field below it has an owner attribute set to ou=mferrare,ou...
Looks like kldap is binding anonymously for the search. Am I correct?
-------------------------------------------------------------------------
=> access_allowed: entry (ou=mferrare, ou=PDS,dc=ferraretto, dc=com) attr
(objectclass)
=> acl_get: entry (ou=mferrare, ou=PDS,dc=ferraretto, dc=com) attr
(objectclass)
=> acl_get: edn OU=MFERRARE,OU=PDS,DC=FERRARETTO,DC=COM
=> acl_get: [1] check attr objectclass
=> dnpat: [2] .*,OU=PDS,DC=FERRARETTO,DC=COM nsub: 0
=> acl_get:[2] backend ACL match
=> acl_get: [2] check attr objectclass
<= acl_get: [2] backend acl ou=mferrare, ou=PDS,dc=ferraretto, dc=com
attr: objectclass
=> acl_access_allowed: search access to entry "ou=mferrare,
ou=PDS,dc=ferraretto, dc=com"
=> acl_access_allowed: search access to value "any" by ""
<= check a_dnattr: owner
<= check a_dnpat: self
=> string_expand: pattern: self
=> string_expand: expanded: self
=> regex_matches: string:
=> regex_matches: rc: 1 no matches
<= check a_dnpat: .*
=> string_expand: pattern: .*
=> string_expand: expanded: .*
=> regex_matches: string:
=> regex_matches: rc: 0 matches
<= acl_access_allowed: matched by clause #3 access denied
=> access_allowed: exit (ou=mferrare, ou=PDS,dc=ferraretto, dc=com) attr
(objectclass)
<= test_filter -2
---------------------------------------------------------------------------
--
Mark Ferraretto Phone: +61 8 8396 2448
Ferraretto IT Services Fax: +61 8 8396 7176
26 Observation Drive Mobile: +61 407 959 719
Highbury SA 5089 Email: mark@ferraretto.com