[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Deny bind for subtree not working?

To: daniel.hasler@hasware.ch
Subject: Re: Deny bind for subtree not working?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Sat, 13 Jan 2007 16:54:01 +0100
Cc: openldap-software@openldap.org
In-reply-to: <7529d5b962a885f115830db987f2bb8d@192.168.1.9>
References: <7529d5b962a885f115830db987f2bb8d@192.168.1.9>
User-agent: Mail/News 1.5.0.7 (X11/20060916)

Please ask software use questions on the openldap-software mailing list.

As per your question about access control in slapd-ldap(5), the answer is in (guess what?) slapd-ldap(5), in the section entitled (guess what?) "ACCESS CONTROL".

As per your question about other means to deny bind for a subtree, the answer is in slapd.conf(5), about the config statement "restrict".

p.

Daniel Hasler wrote:

Hi

I try to deni BIND for all entries in a subtree. I compiled openldap with the LDAP backend, because this is only a proxy that forwards request to another directory.

Following is my configuration:

include         /local/home/hasleda4/openldap/etc/openldap/schema/core.schema
include         /local/home/hasleda4/openldap/etc/openldap/schema/cosine.schema
include         /local/home/hasleda4/openldap/etc/openldap/schema/inetorgperson.schema
pidfile         /local/home/hasleda4/openldap/var/run/gaad-slapd.pid
argsfile        /local/home/hasleda4/openldap/var/run/gaad-slapd.args
database        ldap
suffix          "dc=company,dc=com"
uri             "ldaps://other-dir.net:26930"
access to dn.subtree="ou=people,ou=intranet,dc=company,dc=com" by dn.subtree="ou=applications,ou=intranet,dc=company,dc=com" read by * none access to dn.subtree="ou=applications,ou=intranet,dc=company,dc=com" by users read by anonymous auth by * none access to * by * read


As by the first ACL, anonymous users are not allowed to bind against "ou=people,ou=intranet,dc=novartis,dc=com".
If I now try to bind, the ACL seems not to be evaluated (I run slapd with -d 128 to see ACL processing, and there is no output during the BIND) and the BIND operation succeeds if I give the correct password.

Is this a bug? Or just how openldap behaves for bind operations?
Is there another way to deny bind operations for a subtree?

Thanks for any response.

Cheers
Dani

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Prev by Date: TR : Collective Attributes support
Next by Date: Re: TR : Collective Attributes support
Index(es):
- Chronological
- Thread