[Date Prev][Date Next] [Chronological] [Thread] [Top]

restrict anonymous read access to posixAccount



Hello list,

I'm just learning about access control.

I want to setup my clients to manage its posixAccounts and posixGroups
over the ldap Directory. With the default access rights it's working.
Clients are looking anonymous at the directory for the group, e.g. at
boot time or on user login. Syslog shows me:

~$ sudo egrep "slapd\[.*\]: conn=1186" /var/log/syslog
slapd[2340]: conn=1186 fd=13 ACCEPT from IP=192.168.1.64:35566
(IP=0.0.0.0:389)
slapd[2340]: conn=1186 op=0 BIND dn="" method=128
slapd[2340]: conn=1186 op=0 RESULT tag=97 err=0 text=
slapd[2340]: conn=1186 op=1 SRCH base="dc=hoeft-online,dc=de" scope=2
deref=0 filter="(&(objectClass=posixGroup)(gidNumber=1002))"
slapd[2340]: conn=1186 op=1 SRCH attr=cn userPassword memberUid
uniqueMember gidNumber
slapd[2340]: conn=1186 op=1 SEARCH RESULT tag=101 err=0 nentries=1
text=
slapd[2340]: conn=1186 fd=13 closed (connection lost)
~$

slapd ACCEPT a connection from the client, BIND to anonymous
with simple method (BIND dn="" method=128) and searches with
filter="(&(objectClass=posixGroup)(gidNumber=1002))" with SEARCH
RESULT success (err=0 nentries=1).

testing it with:
~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
dn: cn=gemeinsam,ou=groups,ou=home,dc=hoeft-online,dc=de
cn: gemeinsam
gidNumber: 1002
objectClass: top
objectClass: posixGroup
memberUid: ingo
memberUid: uschi
~$

Now I try to restrict anonymous read only to posixGroup and
posixAccount because I don't want anonymous reading other Entries. I
modified the default access control to this:

olcAccess: to filter=
 "(| (objectClass=posixAccount) (objectClass=posixGroup))"
  by anonymous read
olcAccess: to *
  by self write
  by dn=<admin> write
  by * none

now I get:
~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
No such object (32)
~$

It works with:
olcAccess: to filter="(objectClass=*)" by anonymous read

or

olcAccess: to filter="(objectClass=top)" by anonymous read

What I'm misunderstanding here?

And yes, I have read slapd.access three times but do not really
understand everything til now.

kind regards
Ingo

Attachment: signature.asc
Description: OpenPGP digital signature