[Date Prev][Date Next] [Chronological] [Thread] [Top]

Chain overlay and ACLs



Noob question:

I've set up chaining from my slave LDAP to the master.  It seemed
everything was working fine, until I realize that ANY user can now make
modifications in the LDAP DB if it is done from the slave.  

My ALCs allow full write access to the chain binddn.  If I don't set
this, chaining fails.  But with it set, any valid, authenticated user
can make DB changes (full write access).

I am confused as to why this is happening.

Info is below.

Thanks in advance,
John



Version:
openldap-2.3.43

ACLs on master (and slave):

# Who has access to read or change the password attribute
access to attrs=userPassword,shadowLastChange
        by self write
        by dn.base="cn=tooladmin,o=partner_x,dc=example,dc=net" write
        by
group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write
        by
group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read
        by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
        by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
        by anonymous auth
        by * none

# Keep partners out of mycompany db
access to dn.sub="o=mycompany,dc=example,dc=net"
        by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
        by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
        by dn.sub="o=partner_x,dc=example,dc=net" none
        by anonymous none
        by * none

# Allow the tool access to add and modify ToolAccessLevel, etc
access to
filter="(|(objectClass=DiagnosticsPerson)(objectClass=ToolsAccess))"
        by dn.base="cn=tooladmin,o=partner_x,dc=example,dc=net" write
        by
group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write
        by
group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read
        by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
        by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
        by anonymous none
        by * read

# Finally, allow the main LDAP users access to everything else
access to *
        by
group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write
        by
group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read
        by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
        by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
        by anonymous none
        by * read


And the LDIFs:

# admin_partner_x, partner_x, example.net
dn: cn=admin_partner_x,o=partner_x,dc=example,dc=net
cn: admin_partner_x
objectClass: groupOfNames
description: Group of Admins with full access
member: cn=ldapChain,o=partner_x,dc=example,dc=net
member: cn=ldapEditor,o=partner_x,dc=example,dc=net

# admin_partner_x_RO, partner_x, example.net
dn: cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net
cn: admin_partner_x_RO
objectClass: groupOfNames
description: Group of Admins with readonly access
member: cn=simpleBind,o=partner_x,dc=example,dc=net
member: cn=syncRepl,o=partner_x,dc=example,dc=net

# tooladmin, partner_x, example.net
dn: cn=tooladmin,o=partner_x,dc=example,dc=net
sn: tooladmin
cn: tooladmin
userPassword:: dG9vbGFkbWlu
description: To allow access for tools.  Per ACLs, this guy has write
access to passwords and tool levels
objectClass: person

# jkane2, people, partner_x, example.net
dn: uid=jkane2,ou=people,o=partner_x,dc=example,dc=net
objectClass: person
objectClass: posixAccount
objectClass: DiagnosticsPerson
objectClass: ToolsAccess
cn: jkane2
loginShell: /bin/bash
uidNumber: 3805
uid: jkane2
homeDirectory: /jkane2
sn: jkane2
gidNumber: 950
ToolAccessLevel: subinfo
ToolDomain: example.net
DiagAccessLevel: DIAG_USER_T1
DiagGroup: partner_x
userPassword:: xxxxxxxxxxx


From the master, using some arbitrary user:

[jkane2@master]$ ldapadd -x -D
'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' -W <<EOF
> dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net
> uid: testauserC
> description: asdf
> objectClass: account
> objectClass: simpleSecurityObject
> userPassword: testauser
> EOF
Enter LDAP Password:
adding new entry
"uid=testauserC,ou=people,o=partner_x,dc=example,dc=net"
ldapadd: Insufficient access (50)
        additional info: no write access to parent



From the slave:

[jkane2@slave]$ ldapadd -x -D
'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' -W <<EOF
> dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net
> uid: testauserC
> description: asdf
> objectClass: account
> objectClass: simpleSecurityObject
> userPassword: testauser
> EOF
Enter LDAP Password:
adding new entry
"uid=testauserC,ou=people,o=partner_x,dc=example,dc=net"

[jkane2@slave]$ ldapsearch -x -D
'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' uid=testauserC -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=testauserC
# requesting: ALL
#

# testauserC, people, partner_x, example.net
dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net
uid: testauserC
description: asdf
objectClass: account
objectClass: simpleSecurityObject

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1






This message is confidential to Prodea Systems, Inc unless otherwise indicated 
or apparent from its nature. This message is directed to the intended recipient 
only, who may be readily determined by the sender of this message and its 
contents. If the reader of this message is not the intended recipient, or an 
employee or agent responsible for delivering this message to the intended 
recipient:(a)any dissemination or copying of this message is strictly 
prohibited; and(b)immediately notify the sender by return message and destroy 
any copies of this message in any form(electronic, paper or otherwise) that you 
have.The delivery of this message and its information is neither intended to be 
nor constitutes a disclosure or waiver of any trade secrets, intellectual 
property, attorney work product, or attorney-client communications. The 
authority of the individual sending this message to legally bind Prodea Systems  
is neither apparent nor implied,and must be independently verified.