[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Schema not available with restrictive ACLs



> Um, hmm, not sure what to say. I did try it (and found the problem) and
> did post it. :)
>
> Here it again, just in case:
>
> access to attrs=userPassword
>         by * auth
>
> access to dn=".*,ou=People,dc=example,dc=com"
>         by dn="uid=app,ou=Accounts,dc=example,dc=com" write
>         by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
>         by dn="uid=app3,ou=Accounts,dc=example,dc=com" read
>
> These ACLs don't allow tools such as LDAP Administrator to view the
> schema. It seems some tools want to view the schema anonymously.
>
> So my question all boiled down to if there was a:
>
> access to schema
>     by * read
>
> Style solution? Or another way that I need to approach this? Or do I
> just resign myself to not allowing anyone view the schema if I want to
> lock down access to our directory using auth-only users.
>
> I was looking for a solution. I'm not aware of one, and don't see one in
> the manpages.

I gues you missed how ACL selection does actually work.
- If you don't supply any, the default is to give read privileges to all.
- (subtle rule) global ACLs are evaluated after backend specific.  If
there aren't any, those of the first backend are used as global.
- as soon as you supply one, the default access is "none", so, in your
case, as soon as you gave auth privileges on userPassword and read/write
access below People to a couple of DNs, you implicitly gave "none" access
to everything else by anyone else.  So, to gain anonymous access to
rootDSE and schema, what you need is

access to dn.exact=""
        by * read

access to dn.exact="cn=Subschema"
        by * read

Your idea of "access to schema" is interesting, but totally equivalent to
the above, with the only advantage that a change in the schema name would
be automatically reflected by ACLs.  I don't much see this need.

BTW, note that, as clearly written in slapd.access(5), your ACLs
(assuminhg you're using 2.2) are wrong, because the default for "dn" is
exact, so ".*,ou=People,dc=example,dc=com" is not a valid DN.  Since you
were not bailed out, this implies you're using an older version of
OpenLDAP software.  In any case, to obtain the "all subtree excluding the
base branch" you are apparently trying to get, a more efficient solution,
as written in slapd.access(5), would have been

access to dn.children="ou=People,dc=example,dc=com"
        by dn="uid=app,ou=Accounts,dc=example,dc=com" write
        by dn="uid=app2,ou=Accounts,dc=example,dc=com" read
        by dn="uid=app3,ou=Accounts,dc=example,dc=com" read

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it




    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497