[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access auth granularity?



I searched for security in slapd.access(5) [1] and just found:

"The statements ssf=<n>, transport_ssf=<n>, tls_ssf=<n>, and sasl_ssf=<n> set the minimum required Security Strength Factor (ssf)
needed to grant access."


In regard to "security" slapd.conf(5) [2] states:

"security <factors>
... The directive may be specified globally and/or per-database."

Thus I don't see how this applies to my goal.


The following statement/example is taken from the current admin guide [3]:

access to dn="cn=example,cn=edu"
	by * ssf=256 read

Thus I tested, just for fun:
access to dn="ou=usersa,dc=example,dc=com"
	by * sasl_ssf=1 auth

Without success - which seems clear to me, because there is no sasl-layer known during an initial bind. So, if I'm wrong, could you please be so kind and go into more detail here?

Thank you very much.


[1] http://www.openldap.org/software/man.cgi?query=slapd.access&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release [2] http://www.openldap.org/software/man.cgi?query=slapd.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release
[3] http://www.openldap.org/doc/admin24/guide.html


On 09.05.2016 10:26, Dieter Klünter wrote:
Am Mon, 9 May 2016 09:00:22 +0200
schrieb Dora Paula <deepee@gmx.net>:

Dear List,

I've two subtrees that contain user-accounts:
ou=usersA,dc=example,dc=com and ou=usersB,dc=example,dc=com.

Goal: Users below ou=userA,... should only be allowed to bind using
sasl_bind, but not with simple_bind. Whereas users below
ou=usersB,... should be allowed to bind using both (or any kind of
bind).

I searched the documentation but without success. All I found was
disallow simplebind and sasl_ssf, but both seem to make no sense in
this case: While the first disallows simple_binds globally, the
combination of sasl_ssf and access auth is or at least seems
contradicting to me.

Question: Is it possible to achieve this goal using current openldap
release?

Yes, this is possible, man slapd.acess(5), read on security,
security strength factors and transport layer security.

-Dieter