[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: ACL questions. Answered (long)

To: Howard Chu <hyc@highlandsun.com>
Subject: RE: ACL questions. Answered (long)
From: Diego Julian Remolina <dijuremo@math.gatech.edu>
Date: Wed, 10 Mar 2004 14:04:05 -0500 (EST)
Cc: openldap-software@OpenLDAP.org
In-reply-to: <016b01c406bf$984140f0$8601a8c0@CELLO>
References: <016b01c406bf$984140f0$8601a8c0@CELLO>
Actually what you suggested is not really working, see my 2 cases.  I
still need anonymous access to read entries for things like phone numbers,
addresses, etc.

Case 1. Using by * auth break on ou=People which you say makes no sense
actually works.

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth

access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=sambaSamAccount
        by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
write
        by * auth break

access to *
        by * read

oak:/etc/openldap # /opt/local/bin/ldapsearch -x '(uid=dijuremo)'
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#

# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dijuremo@math.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

oak:/etc/openldap # /opt/local/bin/ldapsearch -x -Z -W -D
"uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" '(uid=dijuremo)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#

# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dijuremo@math.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: e2NyeXB0fSMjZGlqdXJlbW8=
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1



Case 2. Like You suggested removing by * auth break

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth

access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=sambaSamAccount
        by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu"
write

access to *
        by * read

Trying anonymous request

oak:/etc/openldap # ldapsearch -x '(uid=dijuremo)'
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

It cannot access anything in ou=People

Trying with uid=Sambaroot
oak:/etc/openldap # /opt/local/bin/ldapsearch -x -Z -W -D
"uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" '(uid=dijuremo)'
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope sub
# filter: (uid=dijuremo)
# requesting: ALL
#

# dijuremo, People, math.gatech.edu
dn: uid=dijuremo,ou=People,dc=math,dc=gatech,dc=edu
uid: dijuremo
cn: Diego Julian Remolina
givenName: Diego Julian
sn: Remolina
mail: dijuremo@math.gatech.edu
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
userPassword:: XXXXXXXXXXXXXXXXXXXX
loginShell: /bin/tcsh
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/dijuremo
gecos: Diego Julian Remolina

# search result
search: 3
result: 0 Success

# numResponses: 2
# numEntries: 1

Diego



On Wed, 10 Mar 2004, Howard Chu wrote:

> > -----Original Message-----
> > From: owner-openldap-software@OpenLDAP.org
> > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Diego Julian
> Remolina
>
> > Answer to myself and anybody that ever needs to do this:
> >
> > The Goals:
> >
> > 1. Not use rootdn at all, Why? Because when you run scripts
> > you need the
> > plaintext password to authenticate and I am really paranoid and do not
> > want anybody to know the password of my ldap database admin user.
> > Comment out the rootdn and rootpw entries in slapd.conf
>
> No, you don't *need* the plaintext password, that's just the most common way
> to use it.
>
> > 2. Have a user uid=Ldaproot,dc=math,dc=gatech,dc=edu which also has a
> > kerberos principal and create a Keytab that has the ID/PASSWD pair.
> > Then any time you try to authenticate with this Ldaproot's
> > credentials,
> > you will get a kerberos ticket using that keytab with the command:
> > kinit -v /path/to/Ldaproot.keytab
> > Then do any ldapadd/ldapdelete/ldapmodify with the -Y GSSAPI
> > -U Ldaproot
> > options to perform gssapi auths.
>
> This technique will still work for the rootdn if you have a sasl-regexp rule
> to map the SASL authentication ID into the rootdn. Obviously you need a
> sasl-regexp rule anyway, to identify your uid=Ldaproot entry.
>
> > TODO:
> > 1- Find out how this ACLs affect performance.
> > 2- Find any other problems trying to add/delete stuff.
> > 3- Find any other way to list all attributes for samba
> > instead of having
> > to add them all one at a time (not sure if this is possible yet).
> >
> > Finally, here are the ACLs for the slapd.conf file:
> > (If you have any comments, suggestions, etc please e-mail back).
> >
> > defaultaccess none
> >
> > access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> >         by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * auth
>
> The OpenLDAP server doesn't know anything special about sambaLMPassword or
> sambaNTPassword; it will never use Auth access on these attributes. Including
> them here is pointless.
>
> > access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> > attrs=objectClass,sambaSID,sambaLMPassword,sambaNTPassword,sam
> > baPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,s
> > ambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName
> > ,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePat
> > h,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
> > ambaMungedDial
> >         by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
> >         by * auth break
>
> None of these attributes are used by slapd during authentication. Again, "by
> * auth" is pointless. The use of "break" here is also unnecessary. The same
> applies to all the subsequent clauses.
>
> Note that slapd allows objectClass names to be used as a shorthand for all of
> the attributes in the class. Your ACL could just read
> 	access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> 	  attrs=objectClass,sambaSamAccount
> 	  by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>
> (The Ldaproot would be subsumed by using the rootdn; no rootpw is needed if
> you use SASL.)
>
>   -- Howard Chu
>   Chief Architect, Symas Corp.       Director, Highland Sun
>   http://www.symas.com               http://highlandsun.com/hyc
>   Symas: Premier OpenSource Development and Support
>
Follow-Ups:
- RE: ACL questions. Answered (long)
  - From: "Howard Chu" <hyc@highlandsun.com>
References:
- RE: ACL questions. Answered (long)
  - From: "Howard Chu" <hyc@highlandsun.com>
Prev by Date: Re: TLS/SSL failover problem
Next by Date: Re: SASL/GSSAPI auth stops working after slapd restart
Index(es):
- Chronological
- Thread