[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
{resolved}Re: SyncRepl Chaining
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: espeake@oreillyauto.com
Cc: openldap-technical@openldap.org
Date: 09/06/2013 02:14 PM
Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 1:46 PM -0500 espeake@oreillyauto.com
wrote:
>
>
>
> From: Quanah Gibson-Mount <quanah@zimbra.com>
> To: espeake@oreillyauto.com
> Cc: openldap-technical@openldap.org
> Date: 09/06/2013 12:29 PM
> Subject: Re: SyncRepl Chaining
>
>
>
> --On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com
> wrote:
>
>
>> add: olcAccess
>> olcAccess: {0}to *
>> by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read
>> by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read
>> by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
>> by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write
>> by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write
>> break
>
> This should be "by * break" not "break"
>
> You have no ACL granting access to the pseudo-attribute "entry".
>
> I personally have as my last ACL:
>
> olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write
> by *
> read
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Lead Engineer
> Zimbra, Inc
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
> Here is the access list from a new slapcat, this is for olcDatabase=
{1}hdb
>
>
> olcAccess: {0}to * by
> dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com"
> read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com"
> read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write
> by dn.base
> ="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by
> dn.base="uid=p
> asswordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break
> olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by
> group/groupOfUniqueNa
> mes/uniqueMember="cn=System
> Administrators,ou=Groups,dc=oreillyauto,dc=com" w
> rite by group/groupOfUniqueNames/uniqueMember="cn=LDAP
> Admin,ou=Groups,dc=o
> reillyauto,dc=com" write
> olcAccess: {2}to attrs=userPassword by
> group/groupOfUniqueNames/uniqueMember
> ="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous
> read
> olcAccess: {3}to attrs=uid by anonymous read by users read
> olcAccess: {4}to attrs=ou,employeeNumber by users read
> olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by
> dn.subtree=
> "ou=Users,dc=oreillyauto,dc=com" none by users read
> olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by
> dnattr=own
> er write by dnattr=uniqueMember read by * none
> olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self
> read
> by
>
group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreill
> yauto,dc=com" read by * none
> olcAccess: {8}to * by self read by users read
> olcAccess: {9} to attrs=entry by dn.children="cn=admins" write by * read
Your acls are still clearly a mess.
olcAccess{1} blocks access to most of the tree for everything but two
identities.
I would also note that ACL 9 is clearly never going to be evaluated because
ACL{8} covers everything, and has no break clause.
I would also note that ACL2 is a significant security risk, as it grants
read access on the user password attribute to anonymous, instead of AUTH
access.
I would note that ACLs 5, 6, and 7 will never be evaluated because of ACL
{1}
I would note that ACLS 3, 4, and 8 likely do not do anything, given ACL{1},
since the majority of the tree is closed to them. You probably want a by *
break on ACL{1} as well.
I would note that the general way in which you've structured your ACLs
makes them difficult to evaluate and maintain.
--Quanah
--
Quanah Gibson-Mount
Lead Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
This was definately an issue with the ACL's I took down to three for
testing and I will work on any areas our team deems to be a security issue.
Thank you for all of your help.
Eric
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS § 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.