[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd ACLs - [SOLVED]



Olivier,

Thank you for your suggestion, it really helped. The problem is now solved.

My configuration looks like this now
defaultsearchbase       dc=mydomain,dc=org

sortvals member memberUid roleOccupant

access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet
        by dn.regex="uid=myadmin,ou=people,dc=mydomain,dc=org" write
        by self write
        by anonymous auth
        by * none

access to *
        by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx
        by self write
        by users read
        by anonymous auth
        by * none


I have made some tests and so far it seems good. Myadmin is able to see everyone's password, a user can see his passwords but not other's people. Non authenticated users cannot do anything.

I have noticed that I cannot add a comment line in the middle of an ACL and slapd won't start

access to *
        by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx
#        by self write
        by users read

But my version 2.4.26 is not the latest so this feature my have been implemented already.



----- Mail original -----
> De : Olivier Guillard <olivier@guillard.nom.fr>
> À : Mik J <mikydevel@yahoo.fr>
> Cc : 
> Envoyé le : Dimanche 30 septembre 2012 22h23
> Objet : Re: slapd ACLs
> 
> Could you activate ACL debug level ?
> 
> since I'm not very familiar with "dn.regex", you might need help 
> from
> someone else anyway.
> 
> ---
> Olivier
> 
> 2012/9/30 Mik J <mikydevel@yahoo.fr>:
>>  Thank you for your answer Olivier, I tried to do this but it didn't 
> work. The logs look like this
>> 
>>  conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> method=128
>>  conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> mech=SIMPLE ssf=0
>>  conn=1001 op=0 RESULT tag=97 err=0 text=
>>  conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" 
> scope=2 deref=0 filter="(objectClass=*)"
>>  conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>>  conn=1001 op=2 UNBIND
>> 
>>  I triple checked, and when it works, with the dn.subtree permission in the 
> begining of slapd.conf I have
>>  conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> method=128
>>  conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org" 
> mech=SIMPLE ssf=0
>>  conn=1000 op=0 RESULT tag=97 err=0 text=
>>  conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org" 
> scope=2 deref=0 filter="(objectClass=*)"
>>  conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>>  conn=1000 op=2 UNBIND
>> 
>> 
>> 
>> 
>>  ----- Mail original -----
>>>  De : Olivier <ldap@guillard.nom.fr>
>>>  À : Mik J <mikydevel@yahoo.fr>
>>>  Cc :
>>>  Envoyé le : Dimanche 30 septembre 2012 20h29
>>>  Objet : Re: slapd ACLs
>>> 
>>> T ry to put this rule :
>>> 
>>>>   access to dn.subtree=""
>>>>           by * read
>>> 
>>>  after the two others.
>>> 
>>>  (ionce a rule matches, then the scan stops : order counts)
>>> 
>>>  --
>>>  Olivier
>>> 
>>>  2012/9/30 Mik J <mikydevel@yahoo.fr>:
>>>>   Hello,
>>>> 
>>>>   I'm a bit confused with the ACLs in my slapd.conf considering 
> I have
>>>  this
>>>> 
>>>>   access to dn.subtree=""
>>>>           by * read
>>>> 
>>>>   access to
>>> 
> attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
>>>>           by 
> dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
>>>  write
>>>>           by dn="uid=admin,ou=people,dc=mydomain,dc=org" 
> write
>>>>           by self write
>>>>           by anonymous auth
>>>>           by * none
>>>> 
>>>>   access to *
>>>>           by 
> dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
>>>  =wrscx
>>>>           by self write
>>>>           by users read
>>>>           by anonymous auth
>>>>          by * none
>>>> 
>>>> 
>>>>   When I do a ldapsearch without authentication, I can see the 
> user's
>>>  details including the unencrypted password
>>>> 
>>>>   ldapsearch -x -b 
> "uid=user1,ou=people,dc=mydomain,dc=org"
>>>>   I think that it's because the rule access to 
> dn.subtree="" by
>>>  * read
>>>>   With an authenticated user is works as well
>>>> 
>>>>   ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
>>>  "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>>> 
>>>>   But if I comment these two lines
>>>>   #access to dn.subtree=""
>>>>   #        by * read
>>>>   The search doesn't give me any result
>>>> 
>>>>   ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
>>>  "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>>>   # search result
>>>>   search: 2
>>>>   result: 32 No such object
>>>>   # numResponses: 1
>>>> 
>>>>   I would have expected that this command matched
>>>>   access to *
>>>>           by users read
>>>> 
>>>>   My goal is that only authenticated user would be able to access 
> the ldap
>>>  directory and users can change their passwords
>>>> 
>>>>   Does anyone has an idea on how to explain this behavior. ?
>>>> 
>>>>   Thank you
>>>> 
>>> 
>> 
>