[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
slapd sasl auxprop plugin and minimum ssf, different sasl ssf per host
Hi!
I use openldap 2.1.11.
First I write what I want:
storing userPassword as plaintext in ldap in the userPassword attrib.
using the internal slapd sasl auxprop plugin
This works. Many thanks.
Allow few privilegized host to bind with sasl and simple bind with
ssf=0. Any other clients must use sasl bind with min_ssf=56 ,and simple
bind with min_ssf=128. (I only say 56 and 128 because these are greather
than 0)
1./ First problem is, that slapd auxprop plugin can't read the
userPassword attrib if it has any ssf with value greather than 0.
see the following example acl:
access to attribute=userPassword
by dn="uid=ldapadmin,ou=People,dc=my_domain" write
by peername="IP=127\.0\.0\.1:*" anonymous auth
by peername="IP=192\.168\.1\.1:*" anonymous auth
by ssf=56 anonymous auth
by * none
Any request come form 127.0.0.1 or 192.168.1.1 can use e.g the
DIGEST-MD5 sasl mech., but e.g 192.168.1.2 cant (even with tls) because
slapd seems always use ssf=0 for lookup the userPassword.
balsa@192.168.1.2:~$ ldapsearch -U balsa -Y DIGEST-MD5 -ZZ uid=balsa
slapd[2659]: <= check a_dn_pat: anonymous
slapd[2659]: <= check a_authz.sai_ssf: ACL 56 > OP 0
^^^^^^^^^^^^^^^^^^^^^^
slapd[2659]: <= check a_dn_pat: self
slapd[2659]: <= check a_dn_pat: *
slapd[2659]: <= acl_mask: [7] applying none(=n) (stop)
slapd[2659]: <= acl_mask: [7] mask: none(=n)
slapd[2659]: => access_allowed: auth access denied by none(=n)
So I can't specify sec. policy in ACL-s for simple bind.
2./ Second problem. How can I specify required sasl ssf per host?
3./ Maybe workaround: using two slapd with different config contians the
following options:
security simple_bind=128
sasl-secprops minssf=56
and
security simple_bind=0
sasl-secprops minssf=0
and dont use the acl for security policy.
What is the elegant sollution, or I must run two slapd with different
config? Can I run two slapd on the same db4 database?
Thanks.
balsa