[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: New guy needs some help choosing an overlay

To: Jonathan Knight <j.knight@kis.keele.ac.uk>
Subject: Re: New guy needs some help choosing an overlay
From: Pierangelo Masarati <ando@sys-net.it>
Date: Thu, 05 Mar 2009 17:25:41 +0100
Cc: openldap-software@openldap.org
In-reply-to: <49AFE88E.1020401@kis.keele.ac.uk>
References: <497D86AF.8020004@kis.keele.ac.uk> <Pine.SOC.4.64.0901261143160.2853@toolbox.rutgers.edu> <49AE9AA8.7000203@kis.keele.ac.uk> <49AECABB.5030203@sys-net.it> <49AFE88E.1020401@kis.keele.ac.uk>
User-agent: Thunderbird 2.0.0.17 (X11/20081001)

Jonathan Knight wrote:

It's hard to tell without seeing your whole configuration. Auth (by simple bind) uses ACLs. In detail, it needs auth access to userPassword. The ACL you show above should indeed prevent auth; however, everybody would see the userPassword of everybody under that tree (=r).
Here's the config file I'm currently playing with.
access to * by * none
database                ldap
uri                     "ldap://ldap.isc.keele.ac.uk/";
suffix                  "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
rootdn                  "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
database                relay
suffix                  "dc=webct,dc=kdir,dc=keele,dc=ac,dc=uk"
relay                   "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
overlay                 rwm
rwm-suffixmassage       "dc=people,dc=kdir,dc=keele,dc=ac,dc=uk"
If I've understood the manual correctly then this should stop all access to the entire DIT.
I start slapd with:
/usr/local/ldap-proxy/libexec/slapd -d 128
@(#) $OpenLDAP: slapd 2.4.11 (Dec 18 2008 18:18:07) $ root@romeo.kis.keele.ac.uk:/var/sysdist/src/ldap/openldap-2.4.11/servers/slapd
Backend ACL: access to *
   by * none
Backend ACL: access to *
   by * none
config_back_db_open: line 0: warning: cannot assess the validity of the ACL scope within backend naming context slapd starting

I then run this command on the client: ldapwhoami -x -h romeo.kis.keele.ac.uk -D uniqueIdentifier=124E652A-4A4B-11DD-AF40-9CC5CB0AF2BD,dc=webct,dc=kdir,dc=keele,dc=ac,dc=uk -W Enter LDAP Password: dn:uniqueIdentifier=124E652A-4A4B-11DD-AF40-9CC5CB0AF2BD,dc=people,dc=kdir,dc=keele,dc=ac,dc=uk
As you can see the BIND succeeds and the DN is returned. If I get the password wrong, I get the invalid credentials error rather than the DN. There is no debug output on the slapd server. Any attempt at an ldapsearch will fail on the search and I get some ACL debug output, but the initial bind always succeeds.

So how do I use an ACL to stop a bind?

You see, you did not illustrate an important part of your configuration in your first message. slapd.access(5) states:

OPERATION REQUIREMENTS
  Operations require different privileges on different portions of
  entries.  The following summary applies to primary database backends
  such as the BDB and HDB backends.  Requirements for other backends may
  (and often do) differ.

(snip)

  The bind operation, when credentials are stored in the directory,
  requires auth (=x) privileges on the attribute the credentials are
  stored in (usually userPassword).

(snip)

  Access control to search entries is checked by the frontend, so it is
  fully honored by all backends; for all other operations and for the
  discovery phase of the search operation, full ACL semantics is only
  supported by the primary backends, i.e. back-bdb(5), and back-hdb(5).

  Some other  backend, like back-sql(5), may fully support them; others
  may only support a portion of the described semantics, or even differ
  in some aspects.  The relevant details are described in the backend-
  specific man pages.

And slapd-ldap(5) states:

ACCESS CONTROL
  The ldap backend does not honor all ACL semantics as described in
  slapd.access(5).  In general, access checking is delegated to the
  remote server(s).  Only read (=r) access to the entry pseudo-attribute
  and to the other attribute values of the entries returned by the
  search operation is honored, which is performed by the frontend.

A similar statement appears in slapd-relay(5):

ACCESS CONTROL
  The relay backend does not honor any of the access control semantics
  described in slapd.access(5); all access control is delegated to  the
  relayed database(s).  Only read (=r) access to the entry pseudo-
  attribute and to the other attribute values of the entries returned by
  the search operation is honored, which is performed by the frontend.

So yes, as clearly documented, there is no way to use ACLs to enforce bind policies unless you're using back-bdb, back-hdb or back-sql.

An alternative consists in using the rewrite engine of slapo-rwm(5) to intercept binds and do filtering for you. Something along the lines of the example in slapo-rwm(3) that defines and uses a map called "attr2dn". Beware that this is not trivial and may result in significant overhead, as it will likely need to perform internal requests for each bind operation.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

References:
- Re: New guy needs some help choosing an overlay
  - From: Jonathan Knight <j.knight@kis.keele.ac.uk>
- Re: New guy needs some help choosing an overlay
  - From: Pierangelo Masarati <ando@sys-net.it>
- Re: New guy needs some help choosing an overlay
  - From: Jonathan Knight <j.knight@kis.keele.ac.uk>

Prev by Date: Re: uidNumber doesn't match after slapd-upgrade
Next by Date: Re: uidNumber doesn't match after slapd-upgrade
Index(es):
- Chronological
- Thread