Jonathan Knight wrote:
Aaron Richton wrote:
I think you're making this harder than it needs to be, or at least in a way that I find less intuitive.
Many thanks for your help Aaron. I went down the ACL route but chose a slightly different method.
What I did was to use the "relay" backend to duplicate the dc=people,dc=kdir,dc=keele,dc=ac,dc=uk tree and then apply an ACL as you suggested to block access to the relay tree if the attribute wasn't set.
i.e.
access to dn.children="dc=webct,dc=kdir,dc=keele,dc=keele,dc=ac,dc=uk" filter="(kdirVle=no)" by * =rcsd
access to * by * read
with the aim of blocking the auth bit (x) if the flag was set to "no". That way the broken client could find the user, but would not be able to authenticate. I expected that would give a better error message or "authentication failed" rather than "user unknown".
This didn't work - I could bind as a user in that subtree with the flag set to false with no trouble at all.
I started slapd with debug set for the ACL's to see where I'd gone wrong and although there are a lot of calls to acl_mask, acl_get and so on after the bind, the bind itself doesn't seem to call any acl's at all.
So I wonder if I've missed something. Should I see calls to acl's in the bind call?
It's hard to tell without seeing your whole configuration. Auth (by simple bind) uses ACLs. In detail, it needs auth access to userPassword. The ACL you show above should indeed prevent auth; however, everybody would see the userPassword of everybody under that tree (=r). If this doesn't actually happen, then there must be an earlier
access to attrs=userPassword by * auth
that intercepts auth requests, thus defeating your rule.
Something along the lines
access to dn.children="dc=example,dc=com" filter="(yourmagicfilter)" attrs=userPassword by * none
access to dn.children="dc=example,dc=com" filter="(yourmagicfilter)" by * =rcsd
access to attrs=userPassword by * auth
access to * by * read
In any case, I don't quite understand why you need back-relay; is it because you also need to fake the naming context? Or because you want "smart" applications to have regular privileges? Otherwise ACLs for your real database would just suffice.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------