Re: SyncRepl Chaining

[Quanah Gibson-Mount <quanah@zimbra.com>]

--On Friday, September 06, 2013 1:46 PM -0500 espeake@oreillyauto.com wrote:

> From:	Quanah Gibson-Mount <quanah@zimbra.com>
> To:	espeake@oreillyauto.com
> Cc:	openldap-technical@openldap.org
> Date:	09/06/2013 12:29 PM
> Subject:	Re: SyncRepl Chaining
>
>
>
> --On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com
> wrote:
>
>
> > add: olcAccess
> > olcAccess: {0}to *
> >     by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
> >     by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
> >     by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
> >     by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
> >     by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
> >     break
>
> This should be "by * break" not "break"
>
> You have no ACL granting access to the pseudo-attribute "entry".
>
> I personally have as my last ACL:
>
> olcAccess: {10}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write
> by *
>   read
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Lead Engineer
> Zimbra, Inc
> --------------------
> Zimbra ::  the leader in open source messaging and collaboration
>
> Here is the access list from a new slapcat, this is for olcDatabase={1}hdb
>
>
> olcAccess: {0}to *   by
> dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com"
>   read   by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
> read  by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
> by dn.base
>  ="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write   by
> dn.base="uid=p
>  asswordAdmin,ou=System,dc=oreillyauto,dc=com" write   by * break
> olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com"   by
> group/groupOfUniqueNa
>  mes/uniqueMember="cn=System
> Administrators,ou=Groups,dc=oreillyauto,dc=com" w
>  rite   by group/groupOfUniqueNames/uniqueMember="cn=LDAP
> Admin,ou=Groups,dc=o
>  reillyauto,dc=com" write
> olcAccess: {2}to attrs=userPassword   by
> group/groupOfUniqueNames/uniqueMember
>  ="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write   by anonymous
> read
> olcAccess: {3}to attrs=uid   by anonymous read   by users read
> olcAccess: {4}to attrs=ou,employeeNumber   by users read
> olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com"   by
> dn.subtree=
>  "ou=Users,dc=oreillyauto,dc=com" none   by users read
> olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com"   by
> dnattr=own
>  er write   by dnattr=uniqueMember read   by * none
> olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com"   by self
> read
>  by
> group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreill
>  yauto,dc=com" read   by * none
> olcAccess: {8}to *   by self read   by users read
> olcAccess: {9} to attrs=entry by dn.children="cn=admins" write by * read

Your acls are still clearly a mess.

olcAccess{1} blocks access to most of the tree for everything but two 
identities.

I would also note that ACL 9 is clearly never going to be evaluated because 
ACL{8} covers everything, and has no break clause.

I would also note that ACL2 is a significant security risk, as it grants 
read access on the user password attribute to anonymous, instead of AUTH 
access.

I would note that ACLs 5, 6, and 7 will never be evaluated because of ACL{1}

I would note that ACLS 3, 4, and 8 likely do not do anything, given ACL{1}, 
since the majority of the tree is closed to them.  You probably want a by * 
break on ACL{1} as well.

I would note that the general way in which you've structured your ACLs 
makes them difficult to evaluate and maintain.

--Quanah

--

Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra ::  the leader in open source messaging and collaboration