[Date Prev][Date Next] [Chronological] [Thread] [Top]

Retrieving userPassword via back-meta

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Retrieving userPassword via back-meta
From: Dave Horsfall <daveh@ci.com.au>
Date: Mon, 13 Mar 2006 11:56:52 +1100 (EST)
Archive: No

We generate /etc/passwd files from LDAP (no, I don't know why we simply 
don't authenticate via LDAP) and so need read access to userPassword.

Using the ACL:

access to attrs=userPassword
        by self =wx
        by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=dev$" =w
        by anonymous auth

ensures they are unreadable for all except rootDN.

2.2.26 slapd.conf:

uri     "ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView"
rewriteEngine   on
rewriteContext  default
rewriteRule     "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=com" ":"
rebind-as-user
binddn  "cn=Manager,dc=au,dc=cordoors,dc=com"
bindpw  "XXX"

2.3.20 slapd,conf:

uri     "ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView"
rewriteEngine   on
rewriteContext  default
rewriteRule     "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=dev" ":"
rebind-as-user  true
acl-authcDN     "cn=Manager,dc=au,dc=cordoors,dc=dev"
acl-passwd      "XXX"
pseudorootdn    "cn=Manager,dc=au,dc=cordoors,dc=dev"
pseudorootpw    "XXX"

Search request:

ldapsearch -W -b "dc=AdminView" -H "ldap://mippet"; -D "cn=Manager,dc=au,dc=cordoors,dc=dev" "(&(objectClass=ciEmployee)(uid=susanc))" uid userpassword
Enter LDAP Password: XXX

Result:

# susanc, stmarys, NSW, au.cordoors.dev
dn: uid=susanc,ou=stmarys,ou=NSW,dc=au,dc=cordoors,dc=dev
uid: susanc

slapd.log:

Mar 13 10:48:14 mippet slapd[8508]: conn=6 fd=58 ACCEPT from IP=192.168.1.1:1949 (IP=0.0.0.0:389)
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 BIND dn="cn=Manager,dc=au,dc=cordoors,dc=dev" method=128
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 BIND dn="cn=Manager,dc=au,dc=cordoors,dc=dev" mech=SIMPLE ssf=0
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 RESULT tag=97 err=0 text=
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SRCH base="dc=AdminView" scope=2 deref=0 filter="(&(objectClass=ciEmployee)(uid=susanc))"
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SRCH attr=uid userpassword
Mar 13 10:48:14 mippet slapd[8508]: conn=7 fd=60 ACCEPT from PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=0 BIND dn="" method=128
Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=0 RESULT tag=97 err=0 text=
Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SRCH base="dc=au,dc=cordoors,dc=dev" scope=2 deref=0 filter="(&(objectClass=ciEmployee)(uid=susanc))"
Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SRCH attr=uid userpassword
Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=2 UNBIND
Mar 13 10:48:14 mippet slapd[8508]: conn=6 fd=58 closed

This tells me two things: the rebind is performed anonymously, and no 
apparent attempt is made to use "acl-authcDN" etc for an ACL check.  I 
longer have access to a 2.2.26 system, and the logs have long since 
rotated.

I'm fairly sure this used to work with 2.2.26 according to our staff, so 
perhaps something got tightened up in 2.3.20?

It's no big deal, as I can always retrieve the DN then repeat the search 
with that DN as the base.

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9552-5509 (d) -5500 (sw)
Corinthian Engrng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

Follow-Ups:
- Re: Retrieving userPassword via back-meta
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: RE: OpenLdap: User/Group of the Slapd daemon
Next by Date: Re: newbie - openldap start failed on fc4
Index(es):
- Chronological
- Thread