[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with ACLs

To: "Bill Bradford" <mrbill@mrbill.net>, <openldap-technical@openldap.org>
Subject: RE: Problem with ACLs
From: Jason Trupp <jtrupp@symas.com>
Date: Fri, 31 Aug 2018 09:55:25 -0500 (CDT)
Content-language: en-us
In-reply-to: <20180830191722.GW12349@mrbill.net>
References: <20180830191722.GW12349@mrbill.net>
Thread-index: AQGIeEndIsiN32eoK3qlZef4se5NQaVxg3gg
Thread-topic: Problem with ACLs

Bill,

The slapacl command can help here. It analyzes permissions granted by the
ACLs and if the -d -1 option (debugging) is included with the command it
will tell which ACL is processed that grants what permission. That will
help you identify why your user isn't being granted the permissions you
expect. Below are a couple examples. You can craft your own slapacl
command from them.

slapacl -f /usr/local/etc/openldap/slapd.conf -v \ -U bjorn -b
"o=University of Michigan,c=US" \ "o/read:University of Michigan"

	Tests whether the user bjorn can access the attribute o of the
entry o=University of Michigan,c=US at read level

slapacl -f slapd.conf -v -D "cn=Belle
Moxley,ou=Accounting,dc=example,dc=com" -b "cn=Andre
Grills,ou=Janitorial,dc=example,dc=com" telephoneNumber/read fax/read
facsimileTelephoneNumber/read

	Tests whether a user from Accounting can access telephone and fax
number attributes for a user in Janitorial.

Let me know if you need further assistance.
Jason Trupp
Symas Corporation
(855) LDAP-GUY



 

-----Original Message-----
From: openldap-technical <openldap-technical-bounces@openldap.org> On
Behalf Of Bill Bradford
Sent: Thursday, August 30, 2018 2:17 PM
To: openldap-technical@openldap.org
Subject: Problem with ACLs

Trying to give a single user "read only" access to everything in the
database including userPassword info.

Here's the LDIF file I'm using w/ldapmodify:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  by dn="cn=Manager,dc=domain,dc=com" write
  by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
  by anonymous auth
  by self write
  by * none
olcAccess: {1}to dn.base=""
  by * read
olcAccess: {2}to *
  by dn="cn=Manager,dc=domain,dc=com" write
  by * read

However, authenticating as uid=romanager,ou=Users,dc=domain,dc=com
lets that user read his own password hash, but nobody else's.  In other
words it's authenticating just like any other user, and it's as if the 

by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read

line is being ignored.  The change is being applied as I've looked at the
database files for the config.  I've tried restarting slapd, etc.

Any suggestions?

@(#) $OpenLDAP: slapd 2.4.44 (Aug  4 2017 14:23:27) $

Bill

--
Bill Bradford
Houston, Texas USA

Follow-Ups:
- Re: Problem with ACLs
  - From: Bill Bradford <mrbill@mrbill.net>

References:
- Problem with ACLs
  - From: Bill Bradford <mrbill@mrbill.net>

Prev by Date: Re: empty reqmod attribute
Next by Date: Re: Problem with ACLs
Index(es):
- Chronological
- Thread