[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: OLC permissions - general beginner question
- To: Stefan Bauer <sb@plzk.de>
- Subject: Re: OLC permissions - general beginner question
- From: Ferenc Wagner <wferi@niif.hu>
- Date: Wed, 03 Jun 2015 20:02:43 +0200
- Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- In-reply-to: <zarafa.556f0754.415a.78b1ecba2454406e@srv1.localhost> (Stefan Bauer's message of "Wed, 3 Jun 2015 15:55:32 +0200")
- References: <zarafa.556f0754.415a.78b1ecba2454406e@srv1.localhost>
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (gnu/linux)
Stefan Bauer <sb@plzk.de> writes:
> I only have the cn=config DIT available.
(You actually have cn=monitor, too.)
> dn: olcDatabase={0}config,cn=config
> olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
> [...]
> so it looks like only UID=0 (root) should be able to interoperate with
> the directory. However all local users can connect but do not have
> access to cn=config (this is expected).
>
> [user@host ~]$ ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config'
> [...]
> search: 2
> result: 32 No such object
>
> So why am i even able to logon and state a query?
You do not "logon", you use external authentication, which means there's
no separate BIND step, like with simple bind (-x) for example. External
authenication is not done by slapd (hence its name; it's done by the
kernel in the above case), thus slapd can't fail it. The only LDAP
operation it sees is a search, and the authenticated DN
(gidNumber=X+uidNumber=Y,...) is not authorized for that, so the result
is "No such object". As ACLs belong to target objects, they are not
suitable for forcing server disconnection as soon as the authenticated
DN is known. Maybe LDAP doesn't even allow such behaviour.
--
Regards,
Feri.