[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd ACLs - [SOLVED]
Olivier,
Thank you for your suggestion, it really helped. The problem is now solved.
My configuration looks like this now
defaultsearchbase dc=mydomain,dc=org
sortvals member memberUid roleOccupant
access to attrs=userpassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword,sambaPwdLastSet
by dn.regex="uid=myadmin,ou=people,dc=mydomain,dc=org" write
by self write
by anonymous auth
by * none
access to *
by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx
by self write
by users read
by anonymous auth
by * none
I have made some tests and so far it seems good. Myadmin is able to see everyone's password, a user can see his passwords but not other's people. Non authenticated users cannot do anything.
I have noticed that I cannot add a comment line in the middle of an ACL and slapd won't start
access to *
by dn.regex="uid=admin,ou=people,dc=mydomain,dc=org" =wrscx
# by self write
by users read
But my version 2.4.26 is not the latest so this feature my have been implemented already.
----- Mail original -----
> De : Olivier Guillard <olivier@guillard.nom.fr>
> À : Mik J <mikydevel@yahoo.fr>
> Cc :
> Envoyé le : Dimanche 30 septembre 2012 22h23
> Objet : Re: slapd ACLs
>
> Could you activate ACL debug level ?
>
> since I'm not very familiar with "dn.regex", you might need help
> from
> someone else anyway.
>
> ---
> Olivier
>
> 2012/9/30 Mik J <mikydevel@yahoo.fr>:
>> Thank you for your answer Olivier, I tried to do this but it didn't
> work. The logs look like this
>>
>> conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
> method=128
>> conn=1001 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
> mech=SIMPLE ssf=0
>> conn=1001 op=0 RESULT tag=97 err=0 text=
>> conn=1001 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org"
> scope=2 deref=0 filter="(objectClass=*)"
>> conn=1001 op=1 SEARCH RESULT tag=101 err=32 nentries=0 text=
>> conn=1001 op=2 UNBIND
>>
>> I triple checked, and when it works, with the dn.subtree permission in the
> begining of slapd.conf I have
>> conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
> method=128
>> conn=1000 op=0 BIND dn="user2,ou=people,dc=mydomain,dc=org"
> mech=SIMPLE ssf=0
>> conn=1000 op=0 RESULT tag=97 err=0 text=
>> conn=1000 op=1 SRCH base="user1,ou=people,dc=mydomain,dc=org"
> scope=2 deref=0 filter="(objectClass=*)"
>> conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>> conn=1000 op=2 UNBIND
>>
>>
>>
>>
>> ----- Mail original -----
>>> De : Olivier <ldap@guillard.nom.fr>
>>> À : Mik J <mikydevel@yahoo.fr>
>>> Cc :
>>> Envoyé le : Dimanche 30 septembre 2012 20h29
>>> Objet : Re: slapd ACLs
>>>
>>> T ry to put this rule :
>>>
>>>> access to dn.subtree=""
>>>> by * read
>>>
>>> after the two others.
>>>
>>> (ionce a rule matches, then the scan stops : order counts)
>>>
>>> --
>>> Olivier
>>>
>>> 2012/9/30 Mik J <mikydevel@yahoo.fr>:
>>>> Hello,
>>>>
>>>> I'm a bit confused with the ACLs in my slapd.conf considering
> I have
>>> this
>>>>
>>>> access to dn.subtree=""
>>>> by * read
>>>>
>>>> access to
>>>
> attrs=userPassword,shadowMax,shadowExpire,sambaLMPassword,sambaNTPassword
>>>> by
> dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
>>> write
>>>> by dn="uid=admin,ou=people,dc=mydomain,dc=org"
> write
>>>> by self write
>>>> by anonymous auth
>>>> by * none
>>>>
>>>> access to *
>>>> by
> dn.regex="uid=[^/]+/admin\+(realm=MYDOMAIN.ORG)?"
>>> =wrscx
>>>> by self write
>>>> by users read
>>>> by anonymous auth
>>>> by * none
>>>>
>>>>
>>>> When I do a ldapsearch without authentication, I can see the
> user's
>>> details including the unencrypted password
>>>>
>>>> ldapsearch -x -b
> "uid=user1,ou=people,dc=mydomain,dc=org"
>>>> I think that it's because the rule access to
> dn.subtree="" by
>>> * read
>>>> With an authenticated user is works as well
>>>>
>>>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
>>> "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>>>
>>>> But if I comment these two lines
>>>> #access to dn.subtree=""
>>>> # by * read
>>>> The search doesn't give me any result
>>>>
>>>> ldapsearch -x -D uid=user2,ou=people,dc=mydomain,dc=org -b
>>> "uid=user1,ou=people,dc=mydomain,dc=org" -W
>>>> # search result
>>>> search: 2
>>>> result: 32 No such object
>>>> # numResponses: 1
>>>>
>>>> I would have expected that this command matched
>>>> access to *
>>>> by users read
>>>>
>>>> My goal is that only authenticated user would be able to access
> the ldap
>>> directory and users can change their passwords
>>>>
>>>> Does anyone has an idea on how to explain this behavior. ?
>>>>
>>>> Thank you
>>>>
>>>
>>
>