[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL/ACI && SASL
I'm trying to convert my OpenLDAP 2.0 server to use ACI
so that I can get 'dynamic' updates of access control.
Writing the basic file ACL, I got into a snag when it comes
to SASL authentication.
This is what the ACL file looks like:
----- s n i p -----
# No read access as default. Some things is readable only from
# localhost and my own domain!
defaultaccess none
# We need to do SASL auth, so the Root DSE must be readable to anyone
access to dn=""
by domain=.*\.domain\.tld read
by domain=localhost read
# Some things should/must be readable to anyone
access to attr=uid,cn,accountStatus,uidNumber,gidNumber,gecos,homeDirectory,loginShell,entry
by aci write
by domain=.*\.domain\.tld read
by domain=localhost read
# Some things should only be visable if authenticated
access to attr=sn,givenName,krb5PrincipalName
by aci write
by users read
# Some things should be writable (implies read access) to the user
access to attr=cn,sn,givenName,homePostalAddress,mobile,homePhone,labeledURI,mailForwardingAddress,street,physicalDeliveryOfficeName,mailMessageStore,o,l,st,telephoneNumber,postalCode,title
by self write
by aci write
# We must be able to authenticate, so userPassword must be redable to anyone
access to attr=userPassword
by anonymous auth
by aci write
access to *
by aci write
by dn="uid=turbo.+\+realm=DOMAIN.TLD" write
by * none
----- s n i p -----
Much of this can probably be removed when I get ACI's to work...
Now, with this I can retreive all that I want anonymously,
I get the desired attributes when doing a simple bind.
Authenticating (via SASL) as my self, I get the whole
object.
Removing the 'SASL ACL' from "access to *" (which is the main
intention), I _DON'T_ get the desired attributes (which is/was
expected).
Now, what I'm trying to do is write a very portable ACL file
which I can use (without /much/ change) on all my OpenLDAP
servers (and future installations). Hence, I don't want to
hardcode any access by 'turbo@DOMAIN.TLD' etc!
In my production server I use ACL's like this, which work
as expected. The ACL is 'cleaned' to remove crud:
----- s n i p -----
access to dn="uid=(.*),ou=.*" attr=mailHost
by dn="uid=$1.\+realm=DOMAIN.TLD" read
by self read
----- s n i p -----
The problem with THIS is that in my development system(s) (which
will eventually migrate to my production servers), I use multiple
backends, with different layouts. For example, one such backend/db
is using 'cn' as user reference:
cn=Turbo Fredriksson,ou=People,o=Turbo Fredriksson
This object does not contain the 'uid' attribute, so I can't
use the above ACL (not portable anyway), nor can I replace 'uid'
with 'cn' (since my principal is 'turbo', not 'Turbo Fredriksson').
Since I'm using (MIT) Kerberos V, I have the krb5PrincipalName
which I'd like to use for the ACL (and later in the ACI's).
This attribute is the 'only' thing that say how/where to get
the password.
The question now is how to retreive this value, and/or convert
my SASL 'id' (turbo@DOMAIN.TLD) to a DN. Remember, this is a
2.0 server so I can't use the 'sasl-regexp' things.
If noone can think of a solution, then I guess I HAVE to start
migrating to 2.1 (maybe this is the better solution anyway since
2.1 is getting 'stable' :).