[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP security woes.



On Mon, 15 May 2000, Kurt D. Zeilenga wrote:

> Date: Mon, 15 May 2000 07:27:15 -0700
> From: Kurt D. Zeilenga <Kurt@OpenLDAP.org>
> To: mark@ferraretto.com
> Cc: openldap-software@OpenLDAP.org
> Subject: Re: OpenLDAP security woes.
> 
> At 12:05 PM 5/15/00 +0930, Mark Ferraretto wrote:
> >***** Issue number 1 *****
> >Now, I want to set up OpenLDAP's security so that I can allow only the
> >owner of the ou access to their private space and no-one else (except the
> >manager).  To do this, I've got the following declarations in slapd.conf:
> >
> >defaultaccess none
> >access to attr=userpassword by self write by * none
> >access to dn="*,ou=private,dc=ferraretto,dc=com" by dnattr=owner write by
> >self write by * none
> 
> Your second access directive DN clause is defective.  You
> likely meant dn=".*,ou=private,dc=ferraretto,dc=com".
> 

Did this.  Still no banana.

Here's an extract from running the server with -d 255.  This is when kldap
is trying to bind as 
ou=mferrare, ou=PDS, dc=ferraretto, dc=com.
ou=mferrare owns all the entries in the ou.  It has a userpassword field
and each field below it has an owner attribute set to ou=mferrare,ou...

Looks like kldap is binding anonymously for the search.  Am I correct?

-------------------------------------------------------------------------
=> access_allowed: entry (ou=mferrare, ou=PDS,dc=ferraretto, dc=com) attr
(objectclass)

=> acl_get: entry (ou=mferrare, ou=PDS,dc=ferraretto, dc=com) attr
(objectclass)
=> acl_get: edn OU=MFERRARE,OU=PDS,DC=FERRARETTO,DC=COM
=> acl_get: [1] check attr objectclass
=> dnpat: [2] .*,OU=PDS,DC=FERRARETTO,DC=COM nsub: 0
=> acl_get:[2]  backend ACL match
=> acl_get: [2] check attr objectclass
<= acl_get: [2] backend acl ou=mferrare, ou=PDS,dc=ferraretto, dc=com
attr: objectclass

=> acl_access_allowed: search access to entry "ou=mferrare,
ou=PDS,dc=ferraretto, dc=com"

=> acl_access_allowed: search access to value "any" by ""
<= check a_dnattr: owner
<= check a_dnpat: self
=> string_expand: pattern:  self
=> string_expand: expanded: self
=> regex_matches: string:   
=> regex_matches: rc: 1 no matches
<= check a_dnpat: .*
=> string_expand: pattern:  .*
=> string_expand: expanded: .*
=> regex_matches: string:   
=> regex_matches: rc: 0 matches
<= acl_access_allowed: matched by clause #3 access denied

=> access_allowed: exit (ou=mferrare, ou=PDS,dc=ferraretto, dc=com) attr
(objectclass)
<= test_filter -2
---------------------------------------------------------------------------

 -- 
Mark Ferraretto                 Phone:  +61 8 8396 2448
Ferraretto IT Services            Fax:  +61 8 8396 7176
26 Observation Drive           Mobile:  +61 407 959 719
Highbury SA 5089                Email:  mark@ferraretto.com