[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: search request not blocked by ACLs

To: Manuela Mandache <manuela3mandache@gmail.com>
Subject: Re: search request not blocked by ACLs
From: Quanah Gibson-Mount <quanah@symas.com>
Date: Mon, 09 Sep 2019 09:25:34 -0700
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <CANN-7tWf83RL=Be=G-JLxXg9Ug8Jm1-y-UC2n7Y5cdHxAg91hA@mail.gmail.com>
References: <CANN-7tUr_UUModmT5rwH1tKjmOfCRiE-_okx_=Xp14OEH+oCQw@mail.gmail.com> <F1B1D06E80EA5E29D91FAB4D@192.168.1.144> <CANN-7tWf83RL=Be=G-JLxXg9Ug8Jm1-y-UC2n7Y5cdHxAg91hA@mail.gmail.com>

--On Thursday, September 5, 2019 10:35 AM +0200 Manuela Mandache<manuela3mandache@gmail.com> wrote:







Le mer. 4 sept. 2019 à 16:00, Quanah Gibson-Mount <quanah@symas.com> a
écrit :

--On Wednesday, September 4, 2019 1:56 PM +0200 Manuela Mandache
<manuela3mandache@gmail.com> wrote:

olcAccess: {0}to * by dn.base="cn=admin,cn=config" manage by
dn.base="cn=adm
 in,dc=example,dc=com" manage by * break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base=cn=Subschema by * read
olcAccess: {3}to dn.subtree="dc=example,dc=com" attrs=userPassword by *
auth
olcAccess: {4}to dn.subtree="dc=example,dc=com" attrs=entry by * read
olcAccess: {5}to dn.subtree="dc=example,dc=com" attrs=cn,mail by * read
olcAccess: {6}to * by anonymous none by * read


On what cn=config entry have you set these ACLs?




They're on
olcDatabase={2}mdb,cn=config
This is the DB containing the actual data of the directory, with
olcSuffix: dc=example,dc=com


Given that, I would make the following notes:

a) rootDNs are never subject to ACLs, so the access for cn=admin,cn=configmanage in {0} is suspect, as I would infer that is a rootdn.

b) ACL {1} is invalid for this database. It should be set in the dn:olcDatabase={-1}frontend,cn=config database


c) ACL {2} is invalid for this database.  See solution listed in (b)

d) ACL {3} should only give auth access to anonymous, not *

e) ACLs 3-5 should be rewritten to drop the dn.subtree="dc=example,dc=com"bit entirely. You're already only setting ACLs for that database, no needto list that restriction. You can also combine ACLs 4 & 5.


olcAccess: {3} to attrs=userPassword by anonymous auth
olcAccess: {4} to attrs=entry,cn,mail by * read
olcAccess: {5} to * by anonymous none by * read

As for your question in general, I don't think you understand how ACLs workin relation to incoming search requests. The server did exactly what yourACLs said it should do: It provided no information when someone tried tosearch for data using an attribute that access is not granted to, andcorrectly returned 0 entries. It sounds as though you expected theconnection to be dropped when the search was initiated because it wasfiltering off of sn. That is now how things work.


Regards,
Quanah


--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

References:
- search request not blocked by ACLs
  - From: Manuela Mandache <manuela3mandache@gmail.com>
- Re: search request not blocked by ACLs
  - From: Manuela Mandache <manuela3mandache@gmail.com>

Prev by Date: Re: Why is dc=my-domain,dc=com in my namingContext?
Next by Date: Re: Is there a simple document that explains the various admin passwords?
Index(es):
- Chronological
- Thread