[Date Prev][Date Next] [Chronological] [Thread] [Top]

Problem with self in acl in combination with rwm



I have a configuration somewhat similar to the one below and the ACLs
seem to be applied using the non-rewritten DN which causes the self
specifier to never match.

We are in the process of configuring a more secure LDAP server with
stricter ACLs and extra security checks without affecting existing
applications. For this purpose we are putting a rewriting proxy in front
of several legacy LDAP servers. Ideally, the ACLs would be put in place
on the original servers but this is not easily possible in this
environment.

Is this a bug or am I doing something wrong?


Configuration snippet (simplified and anonymised):

access to attrs=userPassword
  by self =xw
  by anonymous auth
  by * none

access to *
  by self read
  by * search

database          ldap
suffix            "ou=department1,dc=example,dc=com"
rootdn            "cn=admin,dc=example,dc=com"
subordinate
uri               "ldap://192.168.1.1";
overlay           rwm
rwm-suffixmassage "ou=department1,dc=example,dc=com" "dc=department1,dc=local"

database          ldap
suffix            "ou=department2,dc=example,dc=com"
rootdn            "cn=admin,dc=example,dc=com"
subordinate
uri               "ldap://192.168.1.2";
overlay           rwm
rwm-suffixmassage "ou=department2,dc=example,dc=com" "dc=department2,dc=local"

database          bdb
suffix            "dc=example,dc=com"
rootdn            "cn=admin,dc=example,dc=com"
rootpw            {SSHA}5OWnUtaKRBk7x0UBQKO/HOgMZQoCczY5

directory         /var/openldap-data
cachesize         1000
index             objectClass eq
index             cn,mail pres,eq,sub
index             uid,uidNumber pres,eq


Part of the slapd output with -d 896 (again, anonymised):

5295fbb1 conn=1000 fd=27 ACCEPT from IP=127.0.0.1:48903 (IP=0.0.0.0:3389)
5295fbb1 conn=1000 op=0 BIND dn="uid=ldaptest,ou=People,ou=department2,dc=example,dc=com" method=128
5295fbb1 conn=1000 op=0 BIND dn="uid=ldaptest,ou=People,dc=department2,dc=local" mech=SIMPLE ssf=0
5295fbb1 conn=1000 op=0 RESULT tag=97 err=0 text=
5295fbb1 conn=1000 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)"
5295fbb1 => access_allowed: search access to "dc=example,dc=com" "entry" requested
5295fbb1 => dn: [1]
5295fbb1 => acl_get: [3] attr entry
5295fbb1 => acl_mask: access to entry "dc=example,dc=com", attr "entry" requested
5295fbb1 => acl_mask: to all values by "uid=ldaptest,ou=people,dc=department2,dc=local", (=0)
5295fbb1 <= check a_dn_pat: self
5295fbb1 <= check a_dn_pat: *
5295fbb1 <= acl_mask: [2] applying search(=scxd) (stop)
5295fbb1 <= acl_mask: [2] mask: search(=scxd)
5295fbb1 => slap_access_allowed: search access granted by search(=scxd)
5295fbb1 => access_allowed: search access granted by search(=scxd)
[...]
5295fbb2 => access_allowed: read access to "uid=ldaptest,ou=People,ou=department2,dc=example,dc=com" "entry" requested
5295fbb2 => dn: [1]
5295fbb2 => acl_get: [3] attr entry
5295fbb2 => acl_mask: access to entry "uid=ldaptest,ou=People,ou=department2,dc=example,dc=com", attr "entry" requested
5295fbb2 => acl_mask: to all values by "uid=ldaptest,ou=people,dc=department2,dc=local", (=0)
5295fbb2 <= check a_dn_pat: self
5295fbb2 <= check a_dn_pat: *
5295fbb2 <= acl_mask: [2] applying search(=scxd) (stop)
5295fbb2 <= acl_mask: [2] mask: search(=scxd)
5295fbb2 => slap_access_allowed: read access denied by search(=scxd)
5295fbb2 => access_allowed: no more rules
5295fbb2 send_search_entry: conn 1000 access to entry (uid=ldaptest,ou=People,ou=department2,dc=example,dc=com) not allowed


The DN that is used seems to be uid=ldaptest,ou=people,
dc=department2,dc=local which is how we were bound to the second LDAP
server.

Thanks

ps, I would also be very interested in a solution for
http://www.openldap.org/lists/openldap-technical/201302/msg00152.html

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

Attachment: signature.asc
Description: This is a digitally signed message part