[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL Blacklist



Thanks for the prompt reply, my version of openldap is 2.1.25 - I'm
using groupOfNames and the entry 

uid=testuser,ou=people,dc=mydomain,dc=com

is in a member field as you suggest - I have previously tried to be
explicit in the config by group/groupOfName/member="bla" but still no
luck

I'm testing with slapd -d 128 and command line :

ldapwhoami -D "uid=testuser,ou=people,dc=mydomain,dc=com" -w secret -x

with output :

dn:uid=testuser,ou=people,dc=mydomain,dc=com

Which shows successful bind, even though uid=testuser... is a member of
the blacklist?

slapd output follows :


=> access_allowed: auth access to
"uid=testuser,ou=people,dc=mydomain,dc=com" "userPassword" requested
=> dn: [1]
=> acl_get: [2] check attr userPassword
<= acl_get: [2] acl uid=testuser,ou=people,dc=mydomain,dc=com attr:
userPassword
=> acl_mask: access to entry
"uid=testuser,ou=people,dc=mydomain,dc=com", attr "userPassword"
requested
=> acl_mask: to all values by "", (=n)
<= check a_dn_pat: uid=testuser,ou=people,dc=mydomain,dc=com
<= check a_dn_pat: *
<= acl_mask: [2] applying read(=rscx) (stop)
<= acl_mask: [2] mask: read(=rscx)
=> access_allowed: auth access granted by read(=rscx)


I can't figure out if it is checking the groupOfNames - I have reduced
my slapd.conf down to the two access directives below to isolate the
problem :

access	to attr=userPassword
	by
group/groupOfNames/member="cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com" none
	by users read
	by * auth

access 	to * 
	by * read

N.B Slapd startup reports :

Global ACL: access to attrs=userPassword
        by group=cn=sys_black_list,ou=sys,ou=groups,dc=mydomain,dc=com
objectClass: 2.5.6.9 attributeType: member none(=n)
        by users read(=rscx)
        by * auth(=x)

Global ACL: access to *
        by * read(=rscx)

So it looks like it reads it OK - I'll check though slapd.access again.

Regards
RM

On Thu, 2004-01-15 at 12:37, Pierangelo Masarati wrote:
> > Could anyone give me advice on implementing blacklists, the following
> > does not seem to work :
> >
> > access	to attr=userPassword
> > 	by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
> > 	by self read
> > 	by * auth
> >
> > access 	to *
> > 	by * read
> >
> >
> > I'd like to replace
> >
> > by dn="uid=testuser,ou=people,dc=mydomain,dc=com" none
> >
> > with
> >
> > by group="ou=blacklist,ou=people,dc=mydomain,dc=com" none
> >
> > but I can't get the basics to work - I've seen postings on whitelist
> > access for admin staff but nothing on denying access based on
> > groupOfNames.
> 
> Blacklisting, AFAIK, is the same as whitelisting,
> with access denied instead of allowed.
> 
> So, "by group=<blacklist dn> none" is fine.
> I infer that your problem is in what the <blacklist dn>
> contains, or how it is defined.  It must be an entry
> of "groupOfNames" objectClass, and those DNs listed
> in the "member" attribute will be given the access
> privileges you set at the end of the "by" clause, in
> your case "none".
> 
> see slapd.access(5) for a detailed description of the
> access clauses, and be sure you read the manual related
> to your software version (which you do not mention:
> ACL syntax and sematics don't change very often,
> but when they do do it can be a pain somewhere behind).
> 
> p.