Full_Name: John Alex. Version: 2.4.39 OS: FreeBSD 9.2-RELEASE URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (62.1.253.119)
When enabling the rwm overlay on a database, even without setting any rewrite rules, in certain cases some access rules are not evaluated correctly.
My test configuration (without the cn=schema,cn=config entries):
dn: cn=config objectClass: olcGlobal cn: config olcConfigFile: slapd.conf olcConfigDir: slapd.d olcArgsFile: /var/run/openldap/slapd.args olcAttributeOptions: lang- olcLogLevel: stats acl olcPidFile: /var/run/openldap/slapd.pid olcTLSCRLCheck: none olcTLSVerifyClient: never olcTLSProtocolMin: 0.0
dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModulePath: /usr/local/libexec/openldap olcModuleLoad: {0}back_mdb
dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcSchemaDN: cn=Subschema
dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage olcAddContentAcl: TRUE olcRootDN: cn=admin,cn=config olcRootPW:: dGVzdDEyMw==
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/db/openldap-data/main olcSuffix: dc=example,dc=com olcRootDN: cn=admin,dc=example,dc=com olcDbIndex: objectClass eq olcDbIndex: ou,uid eq olcDbMaxSize: 4294967296 olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" manage by * break olcAccess: {1}to dn.one="ou=people,dc=example,dc=com" filter="(ou=someunit)" a ttrs=userPassword by * none olcAccess: {2}to dn.subtree="ou=people,dc=example,dc=com" by dn.base="cn=suser ,ou=admins,dc=example,dc=com" read by * break olcAccess: {3}to attrs=userPassword by anonymous auth olcAccess: {4}to dn.base="dc=example,dc=com" by * read olcAccess: {5}to dn.subtree="ou=people,dc=example,dc=com" by * read olcRootPW:: dGVzdDEyMw==
dn: olcOverlay={0}rwm,olcDatabase={1}mdb,cn=config objectClass: olcRwmConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}rwm
-------------------------------------------------
And the contents of the main db:
dn: dc=example,dc=com objectClass: organization objectClass: top objectClass: dcObject dc: example o: example.com
dn: ou=admins,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: admins
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: people
dn: cn=suser,ou=admins,dc=example,dc=com sn: - cn: suser objectClass: person objectClass: top userPassword:: dGVzdDEyMw==
dn: uid=jdoe,ou=people,dc=example,dc=com uid: jdoe sn: Doe cn: John Doe objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top ou: someunit userPassword:: dGVzdDEyMw==
-------------------------------------------------
The above rules should not allow anyone but the local root user access to the userPassword attribute of entries under "ou=people,dc=example,dc=com" that match the filter (ou=someunit). slapacl confirms that for user 'suser':
% slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=suser,ou=admins,dc=example,dc=com" -b "uid=jdoe,ou=people,dc=example,dc=com"
authcDN: "cn=suser,ou=admins,dc=example,dc=com" entry: read(=rscxd) children: read(=rscxd) uid=jdoe: read(=rscxd) sn=Doe: read(=rscxd) cn=John Doe: read(=rscxd) objectClass=inetOrgPerson: read(=rscxd) objectClass=organizationalPerson: read(=rscxd) objectClass=person: read(=rscxd) objectClass=top: read(=rscxd) structuralObjectClass=inetOrgPerson: read(=rscxd) entryUUID=a6478f94-80df-1033-8692-c5a9d2143987: read(=rscxd) creatorsName=cn=admin,dc=example,dc=com: read(=rscxd) createTimestamp=20140605092934Z: read(=rscxd) ou=someunit: read(=rscxd) userPassword=****: none(=0) entryCSN=20140605093709.772129Z#000000#000#000000: read(=rscxd) modifiersName=cn=admin,dc=example,dc=com: read(=rscxd) modifyTimestamp=20140605093709Z: read(=rscxd)
% slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=suser,ou=admins,dc=example,dc=com" -b "uid=jdoe,ou=people,dc=example,dc=com" userPassword/read
authcDN: "cn=suser,ou=admins,dc=example,dc=com" read access to userPassword: DENIED
-------------------------------------------------
Requesting all attributes of the entry "uid=jdoe,ou=people,dc=example,dc=com" yields the expected result:
% ldapsearch -LLL -H ldapi:/// -D "cn=suser,ou=admins,dc=example,dc=com" -W -x -b "ou=people,dc=example,dc=com" "uid=jdoe"
dn: uid=jdoe,ou=people,dc=example,dc=com uid: jdoe sn: Doe cn: John Doe objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top ou: someunit
However, when requesting the userPassword attribute explicitly, the rule that blocks access to that attribute is somehow ignored:
% ldapsearch -LLL -H ldapi:/// -D "cn=suser,ou=admins,dc=example,dc=com" -W -x -b "ou=people,dc=example,dc=com" "uid=jdoe" "userPassword"
dn: uid=jdoe,ou=people,dc=example,dc=com userPassword:: dGVzdDEyMw==
-------------------------------------------------
Removing either the "filter=(ou=someunit)" or the "attrs=userPassword" part of the corresponding rule results in correct parsing of the ACL in the above cases, but in order for the full rule to work, I had to remove the rwm overlay configuration completely (setting "rwm-rewriteEngine off" did not make a difference).
# /usr/local/libexec/slapd -V @(#) $OpenLDAP: slapd 2.4.39 (May 9 2014 09:26:03) $
-
alexoz66@gmail.com