[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACL Blacklist
Thanks for the prompt reply, my version of openldap is 2.1.25 - I'm
using groupOfNames and the entry
uid=testuser,ou=people,dc=mydomain,dc=com
is in a member field as you suggest - I have previously tried to be
explicit in the config by group/groupOfName/member="bla" but still no
luck
I'm testing with slapd -d 128 and command line :
ldapwhoami -D "uid=testuser,ou=people,dc=mydomain,dc=com" -w secret -x
with output :
dn:uid=testuser,ou=people,dc=mydomain,dc=com
Which shows successful bind, even though uid=testuser... is a member of
the blacklist?
slapd output follows :
=> access_allowed: auth access to
"uid=testuser,ou=people,dc=mydomain,dc=com" "userPassword" requested
=> dn: [1]
=> acl_get: [2] check attr userPassword
<= acl_get: [2] acl uid=testuser,ou=people,dc=mydomain,dc=com attr:
userPassword
=> acl_mask: access to entry
"uid=testuser,ou=people,dc=mydomain,dc=com", attr "userPassword"
requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: uid=testuser,ou=people,dc=mydomain,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read(=rscx) (stop)
<= acl_mask: [2] mask: read(=rscx)
=> access_allowed: auth access granted by read(=rscx)
I can't figure out if it is checking the groupOfNames - I have reduced
my slapd.conf down to the two access directives below to isolate the
problem :
access to attr=userPassword
by
group/groupOfNames/member="cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com" none
by users read
by * auth
access to *
by * read
N.B Slapd startup reports :
Global ACL: access to attrs=userPassword
by group=cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com
objectClass: 2.5.6.9 attributeType: member none(=n)
by users read(=rscx)
by * auth(=x)
Global ACL: access to *
by * read(=rscx)
So it looks like it reads it OK - I'll check though slapd.access again.
Regards
RM
On Thu, 2004-01-15 at 12:37, Pierangelo Masarati wrote:
> > Could anyone give me advice on implementing blacklists, the following
> > does not seem to work :
> >
> > access to attr=userPassword
> > by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
> > by self read
> > by * auth
> >
> > access to *
> > by * read
> >
> >
> > I'd like to replace
> >
> > by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
> >
> > with
> >
> > by group="ou=blacklist,ou=people,dc=mydomain,dc=com" none
> >
> > but I can't get the basics to work - I've seen postings on whitelist
> > access for admin staff but nothing on denying access based on
> > groupOfNames.
>
> Blacklisting, AFAIK, is the same as whitelisting,
> with access denied instead of allowed.
>
> So, "by group=<blacklist dn> none" is fine.
> I infer that your problem is in what the <blacklist dn>
> contains, or how it is defined. It must be an entry
> of "groupOfNames" objectClass, and those DNs listed
> in the "member" attribute will be given the access
> privileges you set at the end of the "by" clause, in
> your case "none".
>
> see slapd.access(5) for a detailed description of the
> access clauses, and be sure you read the manual related
> to your software version (which you do not mention:
> ACL syntax and sematics don't change very often,
> but when they do do it can be a pain somewhere behind).
>
> p.