[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem -- user accessing own password




Christine Robertson wrote:
> 
> Hi all,
> 
> I have an interesting (well, to me anyway :-) ACL question.  My ACLs
> are set up like this:
> 
> access to attrs=userPassword
>     by self write
>     by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
>     by anonymous auth
>     by * search
> access to attrs=entry
>     by self write
>     by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
>     by * read
> access to *
>     by dn="uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=com" write
>     by * read
> 
> The entries I am binding as look like this, a pretty standard
> posixAccount record, and our own created admin class record:
> 
> dn: uid=chris,dc=au,dc=cordoors,dc=com
> objectClass: posixAccount
> uidNumber: 1946
> gidNumber: 400
> homeDirectory: /usr/users/chris
> loginShell: /bin/tcsh
> gecos: Chris Robertson
> cn: Chris Robertson
> uid: chris
> userPassword: myencryptedpassword

Have you tried using the migration scripts to create your accounts?  You
may need the "top" object class or the shadowAccount object class (with
appropriate attribute values) to bind.
> 
> dn: uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com
> objectClass: ciAdministrator
> cn: Chris
> sn: Robertson
> uid: chris
> ou: Artarmon
> l: nsw
> description: Ldap Directory Programmer
> userPassword: myotherencryptedpassword
> 
> When I bind as the directory root DN, I can see the userPassword
> attribute, but not if I bind as either of the two records above:
> 
> ldapsearch -x -C -LLL -W -D uid=chris,dc=au,dc=cordoors,dc=com '(uid=chris)' userPassword
> and
> ldapsearch -x -C -LLL -W -D uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com '(uid=chris)' userPassword
> 
> both produce only
> 
> dn: uid=chris,ou=CIAdmin,dc=au,dc=cordoors,dc=com
> 
> dn: uid=chris,dc=au,dc=cordoors,dc=com
> 
> There is no doubt that I am binding OK, as I a) get no error message, and
> b) can see the rest of the record.

I would triple-check that you are, in fact, binding OK.  If you turn on
logging for local4.debug or start slapd with the '-d<number>' option you
can see what the LDAP server is doing.  Your point b) is irrelevant
since an anonymous bind can see the rest of the record with your ACL. 
As to point a), what version of OpenLDAP are you using?  You are typing
a nonempty password, right?  An empty password is an automatic anonymous
bind regardless of the bind DN.
> 
> Any ideas?
> 
> --Chris Robertson
> Corinthian Engineering