[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: ACL questions. Answered (long)
Actually what you suggested is not really working, see my 2 cases. I
still need anonymous access to read entries for things like phone numbers,
addresses, etc.
Case 1. Using by * auth break on ou=People which you say makes no sense
actually works.
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * auth
access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=sambaSamAccount
by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
write
by * auth break
access to *
by * read
oak:/etc/openldap # /opt/local/bin/ldapsearch -x '(uid=dijuremo)'
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#
# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dijuremo@math.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
oak:/etc/openldap # /opt/local/bin/ldapsearch -x -Z -W -D
"uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" '(uid=dijuremo)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#
# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dijuremo@math.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fSMjZGlqdXJlbW8=
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
Case 2. Like You suggested removing by * auth break
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
by * auth
access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=sambaSamAccount
by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
write
access to *
by * read
Trying anonymous request
oak:/etc/openldap # ldapsearch -x '(uid=dijuremo)'
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
It cannot access anything in ou=People
Trying with uid=Sambaroot
oak:/etc/openldap # /opt/local/bin/ldapsearch -x -Z -W -D
"uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" '(uid=dijuremo)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#
# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dijuremo@math.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: XXXXXXXXXXXXXXXXXXXX
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina
# search result
search: 3
result: 0 Success
# numResponses: 2
# numEntries: 1
Diego
On Wed, 10 Mar 2004, Howard Chu wrote:
> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Diego Julian
> Remolina
>
> > Answer to myself and anybody that ever needs to do this:
> >
> > The Goals:
> >
> > 1. Not use rootdn at all, Why? Because when you run scripts
> > you need the
> > plaintext password to authenticate and I am really paranoid and do not
> > want anybody to know the password of my ldap database admin user.
> > Comment out the rootdn and rootpw entries in slapd.conf
>
> No, you don't *need* the plaintext password, that's just the most common way
> to use it.
>
> > 2. Have a user uid=Ldaproot,dc=math,dc=gatech,dc=edu which also has a
> > kerberos principal and create a Keytab that has the ID/PASSWD pair.
> > Then any time you try to authenticate with this Ldaproot's
> > credentials,
> > you will get a kerberos ticket using that keytab with the command:
> > kinit -v /path/to/Ldaproot.keytab
> > Then do any ldapadd/ldapdelete/ldapmodify with the -Y GSSAPI
> > -U Ldaproot
> > options to perform gssapi auths.
>
> This technique will still work for the rootdn if you have a sasl-regexp rule
> to map the SASL authentication ID into the rootdn. Obviously you need a
> sasl-regexp rule anyway, to identify your uid=Ldaproot entry.
>
> > TODO:
> > 1- Find out how this ACLs affect performance.
> > 2- Find any other problems trying to add/delete stuff.
> > 3- Find any other way to list all attributes for samba
> > instead of having
> > to add them all one at a time (not sure if this is possible yet).
> >
> > Finally, here are the ACLs for the slapd.conf file:
> > (If you have any comments, suggestions, etc please e-mail back).
> >
> > defaultaccess none
> >
> > access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> > by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * auth
>
> The OpenLDAP server doesn't know anything special about sambaLMPassword or
> sambaNTPassword; it will never use Auth access on these attributes. Including
> them here is pointless.
>
> > access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> > attrs=objectClass,sambaSID,sambaLMPassword,sambaNTPassword,sam
> > baPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,s
> > ambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName
> > ,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePat
> > h,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
> > ambaMungedDial
> > by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> > by * auth break
>
> None of these attributes are used by slapd during authentication. Again, "by
> * auth" is pointless. The use of "break" here is also unnecessary. The same
> applies to all the subsequent clauses.
>
> Note that slapd allows objectClass names to be used as a shorthand for all of
> the attributes in the class. Your ACL could just read
> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=objectClass,sambaSamAccount
> by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>
> (The Ldaproot would be subsumed by using the rootdn; no rootpw is needed if
> you use SASL.)
>
> -- Howard Chu
> Chief Architect, Symas Corp. Director, Highland Sun
> http://www.symas.com http://highlandsun.com/hyc
> Symas: Premier OpenSource Development and Support
>