[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL problem



On 29 March 2016 at 18:41, Cole <cole@opteqint.net> wrote:
> Hi,
>
> I am using OLC and ACL's to limit response from LDAP based on IP
> address, and this is working fine if I have a single ACL. When I add a
> second ACL, with a different IP address, the new ACL works, but the
> previous one does not.
>
> Example:
> Entries in LDAP:
>
> # 10.0.0.92, servers, test.com
> dn: cn=10.0.0.92,ou=servers,dc=test,dc=com
> objectClass: groupOfNames
> cn: 10.0.0.92
> description: Allowed access
> member: uid=aaa,dc=test,dc=com
>
> # 10.0.0.94, servers, test.com
> dn: cn=10.0.0.94,ou=servers,dc=test,dc=com
> objectClass: groupOfNames
> cn: 10.0.0.94
> description: Allowed access
> member: uid=aaa,dc=test,dc=com
>
> # aaa, test.com
> dn: uid=aaa,dc=test,dc=com
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: ldapPublicKey
> objectClass: shadowAccount
> uid: aaa
> uidNumber: 10005
> gidNumber: 10005
> homeDirectory: /home/aaa
> loginShell: /usr/local/bin/bash
> mail: a@test.com
> ou: users
> cn: User A
> sn: A
> userPassword:: xxx
>
> OLC entries:
>
> # {1}ldif, config
> dn: olcDatabase={1}ldif,cn=config
> objectClass: olcLdifConfig
> olcDatabase: {1}ldif
> olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
>  /parts/new/instances/test/openldap-data
> olcSuffix: dc=test,dc=com
> olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
>  ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
>  .ip="10.0.0.92" read by * none
> olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none
> olcRootDN: cn=Manager,dc=test,dc=com
> olcRootPW: test
>
>
> At this point, running ldapsearch from the computer with ip address
> 10.0.0.92 works correctly, and only the filtered results are returned.
> If I then add a second ACL:
>
>
> # {1}ldif, config
> dn: olcDatabase={1}ldif,cn=config
> objectClass: olcLdifConfig
> olcDatabase: {1}ldif
> olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za
>  /parts/new/instances/test/openldap-data
> olcSuffix: dc=test,dc=com
> olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94,
>  ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
>  .ip="10.0.0.94" read by * none
> olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
>  ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
>  .ip="10.0.0.92" read by * none
> olcAccess: {2}to * by self write by peername.ip="127.0.0.1" write by * none
> olcRootDN: cn=Manager,dc=test,dc=com
> olcRootPW: test
>
>
> The computer with IP 10.0.0.94 can now query LDAP, and receives the
> correct filtered results, however the computer with IP 10.0.0.92
> receives a blank result:
>
>
> $ ldapsearch -x -h 10.0.0.91 -b dc=test,dc=com
> # extended LDIF
> #
> # LDAPv3
> # base <dc=test,dc=com> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 1
>
>
> Is this the way that ACLs work in openldap? Or have I missed a
> configuration setting somewhere?
>
> Thanks
> /Cole

Hi,

I have managed to solve this myself. I misunderstood the
documentation, and have subsequently realised that I needed to change
the ACL rules to the following:

 olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94,
  ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
  .ip="10.0.0.94" read by * break
 olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92,
  ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername
  .ip="10.0.0.92" read by * break

Sorry for the trouble.

Regards
/Cole