[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf search ACLs



Andrew Bartlett wrote:
I've recently been trying to lock down Samba4's default ACLs, in it's
generated LDAP backend configuration.

I have memberOf configured to 'error' on dangling links, which I need
for Samba.


But I seem to be having some trouble with ACLs.  I've attached my full
config file, but the key part is:

access to dn.base="" by dn=cn=samba-admin,cn=samba manage
by anonymous read
by * read


access to dn.subtree="cn=samba"
       by anonymous auth

access to dn.subtree="${DOMAINDN}"
       by dn=cn=samba-admin,cn=samba manage
       by * none

If I change the last line to 'by * read', then the error is returned,
but otherwise (due apparently to "" being unable to read the entry to
validate it's existence).

Shouldn't the search operations happen as the rootdn or memberof-dn, or
am I missing some other configuration element here?

Not sure I got the point, but what I'm sure about is that any check about dangling links is done while writing. The result of search operations is based on what values the link contain, statically. Apart from this, yes, internal ops are performed using the rootdn, in order to skip any issue related to access control.


p.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------