[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: restrict anonymous read access to posixAccount

To: openldap-technical@openldap.org
Subject: Re: restrict anonymous read access to posixAccount
From: Ingo <Ingo@Hoeft-online.de>
Date: Wed, 03 Jul 2013 15:15:02 +0200
In-reply-to: <51D2C03B.20506@Hoeft-online.de>
References: <51D2C03B.20506@Hoeft-online.de>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:10.0.12) Gecko/20130119 Icedove/10.0.12

I've got a step forward. My problem has something to do with access to
parent entries.

to summarize it:

with:
olcAccess: to filter=
 "(| (objectClass=posixAccount) (objectClass=posixGroup))"
  by anonymous read

I get:
~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
No such object (32)
~$

with:
olcAccess: to dn.sub=""
  by anonymous search

I get:
~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
~$
No retÃrn message means the object was found.

But how can I set anonymous to read posixAccounts or posixGroups and
restrict its parents only to search?

olcAccess: to dn.sub=""
  by anonymous search
  break
olcAccess: to filter=
 "(| (objectClass=posixAccount) (objectClass=posixGroup))"
  by anonymous read

does not work (No such object (32)). Any ideas?

Ingo


On 2013-07-02 13:57, Ingo wrote:
> Hello list,
> 
> I'm just learning about access control.
> 
> I want to setup my clients to manage its posixAccounts and posixGroups
> over the ldap Directory. With the default access rights it's working.
> Clients are looking anonymous at the directory for the group, e.g. at
> boot time or on user login. Syslog shows me:
> 
> ~$ sudo egrep "slapd\[.*\]: conn=1186" /var/log/syslog
> slapd[2340]: conn=1186 fd=13 ACCEPT from IP=192.168.1.64:35566
> (IP=0.0.0.0:389)
> slapd[2340]: conn=1186 op=0 BIND dn="" method=128
> slapd[2340]: conn=1186 op=0 RESULT tag=97 err=0 text=
> slapd[2340]: conn=1186 op=1 SRCH base="dc=hoeft-online,dc=de" scope=2
> deref=0 filter="(&(objectClass=posixGroup)(gidNumber=1002))"
> slapd[2340]: conn=1186 op=1 SRCH attr=cn userPassword memberUid
> uniqueMember gidNumber
> slapd[2340]: conn=1186 op=1 SEARCH RESULT tag=101 err=0 nentries=1
> text=
> slapd[2340]: conn=1186 fd=13 closed (connection lost)
> ~$
> 
> slapd ACCEPT a connection from the client, BIND to anonymous
> with simple method (BIND dn="" method=128) and searches with
> filter="(&(objectClass=posixGroup)(gidNumber=1002))" with SEARCH
> RESULT success (err=0 nentries=1).
> 
> testing it with:
> ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
> dn: cn=gemeinsam,ou=groups,ou=home,dc=hoeft-online,dc=de
> cn: gemeinsam
> gidNumber: 1002
> objectClass: top
> objectClass: posixGroup
> memberUid: ingo
> memberUid: uschi
> ~$
> 
> Now I try to restrict anonymous read only to posixGroup and
> posixAccount because I don't want anonymous reading other Entries. I
> modified the default access control to this:
> 
> olcAccess: to filter=
>  "(| (objectClass=posixAccount) (objectClass=posixGroup))"
>   by anonymous read
> olcAccess: to *
>   by self write
>   by dn=<admin> write
>   by * none
> 
> now I get:
> ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
> No such object (32)
> ~$
> 
> It works with:
> olcAccess: to filter="(objectClass=*)" by anonymous read
> 
> or
> 
> olcAccess: to filter="(objectClass=top)" by anonymous read
> 
> What I'm misunderstanding here?
> 
> And yes, I have read slapd.access three times but do not really
> understand everything til now.
> 
> kind regards
> Ingo

Attachment: signature.asc
Description: OpenPGP digital signature

References:
- restrict anonymous read access to posixAccount
  - From: Ingo <Ingo@Hoeft-online.de>

Prev by Date: Re: Mirror mode replication
Next by Date: Increasing olcSockbufMaxIncomingAuth
Index(es):
- Chronological
- Thread