On 09.05.2016 12:31, Dieter Klünter wrote:
Am Mon, 9 May 2016 11:00:38 +0200 schrieb Dora Paula <deepee@gmx.net>:I searched for security in slapd.access(5) [1] and just found: "The statements ssf=<n>, transport_ssf=<n>, tls_ssf=<n>, and sasl_ssf=<n> set the minimum required Security Strength Factor (ssf) needed to grant access." In regard to "security" slapd.conf(5) [2] states: "security <factors> ... The directive may be specified globally and/or per-database." Thus I don't see how this applies to my goal. The following statement/example is taken from the current admin guide [3]: access to dn="cn=example,cn=edu" by * ssf=256 read Thus I tested, just for fun: access to dn="ou=usersa,dc=example,dc=com" by * sasl_ssf=1 auth Without success - which seems clear to me, because there is no sasl-layer known during an initial bind. So, if I'm wrong, could you please be so kind and go into more detail here? Thank you very much.[...] Any password transport should be protected by some means of transport security, that is, either sasl DIGEST-MD5 or TLS. security=1 access to dn.sub=ou=userA,dc=example,dc=com by * sasl_ssf=128 read access to dn.sub=ou=userB,dc=example,dc=com by * ssf=56 read or alternatively by transport_ssf=56 read -Dieter
Dieter,please note: Access auth is the question. Thus I think your example using access read misses the point here.
Nevertheless I've set security ssf=1 for the database, used the following acl ...
access to dn.one="ou=usersA,dc=example,dc=com" attrs=cn by anonymous sasl_ssf=128 auth by users read by * none... and tried an "ldapwhoami -Y DIGEST-MD5 -U ...", which does not work as expected. Please see the "ACL 1 > OP 0" in the following log excerpt:
57307aa4 => acl_mask: access to entry "cn=test,ou=usersA,dc=example,dc=com", attr "cn" requested
57307aa4 => acl_mask: to value by "", (=0) 57307aa4 <= check a_dn_pat: anonymous 57307aa4 <= check a_authz.sai_sasl_ssf: ACL 1 > OP 0 57307aa4 <= check a_dn_pat: self 57307aa4 <= check a_dn_pat: * 57307aa4 <= acl_mask: [5] applying none(=0) (stop) 57307aa4 <= acl_mask: [5] mask: none(=0) 57307aa4 => slap_access_allowed: auth access denied by none(=0) General note regaring my setup:Without the security and ssf stuff the test user can successfully bind using simple and sasl bind - so far so good. All I would like to achieve, is to restrict binds locally (see dn.one=...) to sasl-only, without disallowing simple bind globally.
Is this possible? If yes, how? Thanks again.