Hi all,
I use the following rules in my configuration:
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth" manage by * break
olcAccess: {1}to dn.one="ou=people,dc=xmpl,dc=co" filter="(pwdReset=TRUE)" a
ttrs=userPassword by * none
olcAccess: {2}to dn.subtree="ou=people,dc=xmpl,dc=co" by dn.base="cn=radius,
ou=admins,dc=xmpl,dc=co" read by * break
olcAccess: {3}to attrs=userPassword by anonymous auth
olcAccess: {4}to dn.base="dc=xmpl,dc=co" by * read
olcAccess: {5}to dn.subtree="ou=people,dc=xmpl,dc=co" by * read
I have issues with rule {1} which I have set in order to disallow ldap bind and radius
authentication from users whose password has been reset. I found out that this rule works
when I request all attributes of a matching entry (uid=jdoe,ou=people,dc=xmpl,dc=co), but
if I request specifically the attribute userPassword, its value is returned as if this
rule did not exist:
% ldapsearch -H ldapi:/// -D "cn=radius,ou=admins,dc=xmpl,dc=co" -W -x -b
"ou=people,dc=xmpl,dc=co" "uid=jdoe"
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=xmpl,dc=co> with scope subtree
# filter: uid=jdoe
# requesting: ALL
#
# jdoe, people, xmpl.co
dn: uid=jdoe,ou=people,dc=xmpl,dc=co
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: John Doe
sn: Doe
uid: jdoe
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
% ldapsearch -H ldapi:/// -D "cn=radius,ou=admins,dc=xmpl,dc=co" -W -x -b
"ou=people,dc=xmpl,dc=co" "uid=jdoe" "userPassword"
# extended LDIF
#
# LDAPv3
# base <ou=people,dc=xmpl,dc=co> with scope subtree
# filter: uid=jdoe
# requesting: userPassword
#
# jdoe, people, xmpl.co
dn: uid=jdoe,ou=people,dc=xmpl,dc=co
userPassword:: dGVzdDEyMw==
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
------------------------------------------
slapacl shows it should be ok in any case:
% slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=radius,ou=admins,dc=xmpl,dc=co" -b
"uid=jdoe,ou=people,dc=xmpl,dc=co"
authcDN: "cn=radius,ou=admins,dc=xmpl,dc=co"
entry: read(=rscxd)
children: read(=rscxd)
objectClass=inetOrgPerson: read(=rscxd)
objectClass=organizationalPerson: read(=rscxd)
objectClass=person: read(=rscxd)
objectClass=top: read(=rscxd)
structuralObjectClass=inetOrgPerson: read(=rscxd)
entryUUID=e959dfb8-76b6-1033-8972-4b1922a532ac: read(=rscxd)
creatorsName=cn=admin,dc=xmpl,dc=co: read(=rscxd)
createTimestamp=20140523111245Z: read(=rscxd)
cn=John Doe: read(=rscxd)
sn=Doe: read(=rscxd)
uid=jdoe: read(=rscxd)
userPassword=****: none(=0)
pwdChangedTime=20140602101409Z: read(=rscxd)
pwdReset=TRUE: read(=rscxd)
entryCSN=20140602101723.590271Z#000000#000#000000: read(=rscxd)
modifiersName=cn=admin,dc=xmpl,dc=co: read(=rscxd)
modifyTimestamp=20140602101723Z: read(=rscxd)
% slapacl -F /usr/local/etc/openldap/slapd.d/ -v -D "cn=radius,ou=admins,dc=xmpl,dc=co" -b
"uid=jdoe,ou=people,dc=xmpl,dc=co" userPassword/read
authcDN: "cn=radius,ou=admins,dc=xmpl,dc=co"
read access to userPassword: DENIED
------------------------------------------
If I change the rule and keep just the filter or the attribute, like:
olcAccess: {1}to dn.one="ou=people,dc=xmpl,dc=co" filter="(pwdReset=TRUE)" b
y * none
OR
olcAccess: {1}to dn.one="ou=people,dc=xmpl,dc=co" attrs=userPassword by * no
ne
then it seems to work ok in all cases.
# /usr/local/libexec/slapd -V
@(#) $OpenLDAP: slapd 2.4.39 (May 9 2014 09:26:03) $
root@xmpl.co:/usr/ports/net/openldap24-server/work/openldap-2.4.39/servers/slapd
Am I doing something wrong or is this a bug?
Thanks in advance,
John