[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd ACLs - [SOLVED]

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: slapd ACLs - [SOLVED]
From: Mik J <mikydevel@yahoo.fr>
Date: Mon, 1 Oct 2012 08:40:07 +0100 (BST)
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.fr; s=s1024; t=1349077207; bh=o0MXjRU3QUrsFE1uojo/e8vRzbyTOHZmHfpnVEikcsw=; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Rano1FxlLmvGwbKjBrKA0TnEQ8uixzh8WYwc27oAUYVhTW/u1LF88YRFX3dfoXA4Lubhvz04PuDMMnNCDgoaQZ6z+FNmw/lhZ8LTVRac0/X/3g3q5nhRF6dhocEuLm70zNR14yfZUwssYDmhtXN/Gfvi7NdL+qZ794CVT0iH9TM=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.fr; h=X-YMail-OSG:Received:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=mzsE8zix2eYrhdAuchN7z9AyeDnQvvMjQ4b7XeRgh80NOE6QWdscfi9aXgkTP4p/ZnDdpFlnTQ5tQIGfQjFfcwz5rg22prfr+EuWpkMdU5z1i0KDMB2KqFE73GvC1bEdnZZN7zHt/0n3Vxsbt7+vmsPxutKfJnDw+3TYUKbciGI=;
In-reply-to: <CA+5QeXSYGSQRbVar8tV9T3OiMiyOVF80_3G2uiZJNUFzYFiP9w@mail.gmail.com>
References: <1349026841.88837.YahooMailNeo@web28801.mail.ir2.yahoo.com> <CA+5QeXRa3cSwPi-+Ok4QZqBEupQ8wCap4au4N2r_LSv+E_j6CA@mail.gmail.com> <1349034667.33542.YahooMailNeo@web28806.mail.ir2.yahoo.com> <CA+5QeXSYGSQRbVar8tV9T3OiMiyOVF80_3G2uiZJNUFzYFiP9w@mail.gmail.com>

Olivier,

Thank you for your suggestion, it really helped. The problem is now solved.

My configuration looks like this now
defaultsearchbase       dc=mydomain,dc=org

sortvals member memberUid roleOccupant

access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet
        by dn.regex="uid=myadmin,ou=people,dc=mydomain,dc=org" write
        by self write
        by anonymous auth
        by * none

access to *
        by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx
        by self write
        by users read
        by anonymous auth
        by * none


I have made some tests and so far it seems good. Myadmin is able to see everyone's password, a user can see his passwords but not other's people. Non authenticated users cannot do anything.

I have noticed that I cannot add a comment line in the middle of an ACL and slapd won't start

access to *
        by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx
#        by self write
        by users read

But my version 2.4.26 is not the latest so this feature my have been implemented already.



----- Mail original -----
> De : Olivier Guillard <olivier@guillard.nom.fr>
> À : Mik J <mikydevel@yahoo.fr>
> Cc : 
> Envoyé le : Dimanche 30 septembre 2012 22h23
> Objet : Re: slapd ACLs
> 
> Could you activate ACL debug level ?
> 
> since I'm not very familiar with "dn.regex", you might need help 
> from
> someone else anyway.
> 
> ---
> Olivier
> 
> 2012/9/30 Mik J <mikydevel@yahoo.fr>:
>>  Thank you for your answer Olivier, I tried to do this but it didn't 
> work. The logs look like this
>> 
>>  conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> method=128
>>  conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> mech=SIMPLE ssf=0
>>  conn=1001 op=0 RESULT tag=97 err=0 text=
>>  conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" 
> scope=2 deref=0 filter="(objectClass=*)"
>>  conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>>  conn=1001 op=2 UNBIND
>> 
>>  I triple checked, and when it works, with the dn.subtree permission in the 
> begining of slapd.conf I have
>>  conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> method=128
>>  conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> mech=SIMPLE ssf=0
>>  conn=1000 op=0 RESULT tag=97 err=0 text=
>>  conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" 
> scope=2 deref=0 filter="(objectClass=*)"
>>  conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>>  conn=1000 op=2 UNBIND
>> 
>> 
>> 
>> 
>>  ----- Mail original -----
>>>  De : Olivier <ldap@guillard.nom.fr>
>>>  À : Mik J <mikydevel@yahoo.fr>
>>>  Cc :
>>>  Envoyé le : Dimanche 30 septembre 2012 20h29
>>>  Objet : Re: slapd ACLs
>>> 
>>> T ry to put this rule :
>>> 
>>>>   access to dn.subtree=""
>>>>           by * read
>>> 
>>>  after the two others.
>>> 
>>>  (ionce a rule matches, then the scan stops : order counts)
>>> 
>>>  --
>>>  Olivier
>>> 
>>>  2012/9/30 Mik J <mikydevel@yahoo.fr>:
>>>>   Hello,
>>>> 
>>>>   I'm a bit confused with the ACLs in my slapd.conf considering 
> I have
>>>  this
>>>> 
>>>>   access to dn.subtree=""
>>>>           by * read
>>>> 
>>>>   access to
>>> 
> attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
>>>>           by 
> dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
>>>  write
>>>>           by dn="uid=admin,ou=people,dc=mydomain,dc=org" 
> write
>>>>           by self write
>>>>           by anonymous auth
>>>>           by * none
>>>> 
>>>>   access to *
>>>>           by 
> dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
>>>  =wrscx
>>>>           by self write
>>>>           by users read
>>>>           by anonymous auth
>>>>          by * none
>>>> 
>>>> 
>>>>   When I do a ldapsearch without authentication, I can see the 
> user's
>>>  details including the unencrypted password
>>>> 
>>>>   ldapsearch -x -b 
> "uid=user1,ou=people,dc=mydomain,dc=org"
>>>>   I think that it's because the rule access to 
> dn.subtree="" by
>>>  * read
>>>>   With an authenticated user is works as well
>>>> 
>>>>   ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
>>>  "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>>> 
>>>>   But if I comment these two lines
>>>>   #access to dn.subtree=""
>>>>   #        by * read
>>>>   The search doesn't give me any result
>>>> 
>>>>   ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
>>>  "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>>>   # search result
>>>>   search: 2
>>>>   result: 32 No such object
>>>>   # numResponses: 1
>>>> 
>>>>   I would have expected that this command matched
>>>>   access to *
>>>>           by users read
>>>> 
>>>>   My goal is that only authenticated user would be able to access 
> the ldap
>>>  directory and users can change their passwords
>>>> 
>>>>   Does anyone has an idea on how to explain this behavior. ?
>>>> 
>>>>   Thank you
>>>> 
>>> 
>> 
>

Next by Date: Re: Advice regarding ldap (building my tree)
Index(es):
- Chronological
- Thread