[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
ACL problem
- To: openldap-technical@openldap.org
- Subject: ACL problem
- From: Cole <cole@opteqint.net>
- Date: Tue, 29 Mar 2016 18:41:44 +0200
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opteqint-net.20150623.gappssmtp.com; s=20150623; h=mime-version:date:message-id:subject:from:to; bh=Pf2w6lYnBt5hWARjfNplF8UmT7wR1VjcjIn3Hw/hNwo=; b=XeyuM3HJ++d3/DHLccJBQChcHSLZOn+W8ElCRSYuRn4SE80V48RvqBhuXKKNUHGKkQ IQBdZkPjFLaVJGkCS34LJ2jYICPoyxyTc/N/hffmDKQNeo/iJKi8fGv2a5gI2R5oXVAn bX/jyG/b5m74O36Yly1Tdo/v43ludZshsM1r6Fky4lt0gZaDGOp9vHENBitLWkgdiWlA EFZLcUVdUnGA9B6GaY/6gB/hGzTEjiw0TPxMeRMqKs88pFlxLfcHbRMaLecDRJ5FkpwO r+Pigs4uerLwxhdUrDh3GE4iE4+qZbQA5AZvZRhFrhhHgfo/e/Wz8k/Tfgh/GPPwGS9L ERrQ==
Hi,
I am using OLC and ACL's to limit response from LDAP based on IP
address, and this is working fine if I have a single ACL. When I add a
second ACL, with a different IP address, the new ACL works, but the
previous one does not.
Example:
Entries in LDAP:
# 10.0.0.92, servers, test.com
dn: cn=10.0.0.92,ou=servers,dc=test,dc=com
objectClass: groupOfNames
cn: 10.0.0.92
description: Allowed access
member: uid=aaa,dc=test,dc=com
# 10.0.0.94, servers, test.com
dn: cn=10.0.0.94,ou=servers,dc=test,dc=com
objectClass: groupOfNames
cn: 10.0.0.94
description: Allowed access
member: uid=aaa,dc=test,dc=com
# aaa, test.com
dn: uid=aaa,dc=test,dc=com
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: ldapPublicKey
objectClass: shadowAccount
uid: aaa
uidNumber: 10005
gidNumber: 10005
homeDirectory: /home/aaa
loginShell: /usr/local/bin/bash
mail: a@test.com
ou: users
cn: User A
sn: A
userPassword:: xxx
OLC entries:
# {1}ldif, config
dn: olcDatabase={1}ldif,cn=config
objectClass: olcLdifConfig
olcDatabase: {1}ldif
olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
/parts/new/instances/test/openldap-data
olcSuffix: dc=test,dc=com
olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
.ip="10.0.0.92" read by * none
olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none
olcRootDN: cn=Manager,dc=test,dc=com
olcRootPW: test
At this point, running ldapsearch from the computer with ip address
10.0.0.92 works correctly, and only the filtered results are returned.
If I then add a second ACL:
# {1}ldif, config
dn: olcDatabase={1}ldif,cn=config
objectClass: olcLdifConfig
olcDatabase: {1}ldif
olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
/parts/new/instances/test/openldap-data
olcSuffix: dc=test,dc=com
olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94,
ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
.ip="10.0.0.94" read by * none
olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
.ip="10.0.0.92" read by * none
olcAccess: {2}to * by self write by peername.ip="127.0.0.1" write by * none
olcRootDN: cn=Manager,dc=test,dc=com
olcRootPW: test
The computer with IP 10.0.0.94 can now query LDAP, and receives the
correct filtered results, however the computer with IP 10.0.0.92
receives a blank result:
$ ldapsearch -x -h 10.0.0.91 -b dc=test,dc=com
# extended LDIF
#
# LDAPv3
# base <dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 0 Success
# numResponses: 1
Is this the way that ACLs work in openldap? Or have I missed a
configuration setting somewhere?
Thanks
/Cole