Noob question:
I've set up chaining from my slave LDAP to the master. It seemed everything was working fine, until I realize that ANY user can now make modifications in the LDAP DB if it is done from the slave.
My ALCs allow full write access to the chain binddn. If I don't set this, chaining fails. But with it set, any valid, authenticated user can make DB changes (full write access).
I am confused as to why this is happening.
Info is below.
Thanks in advance, John
Version: openldap-2.3.43
ACLs on master (and slave):
# Who has access to read or change the password attribute access to attrs=userPassword,shadowLastChange by self write by dn.base="cn=tooladmin,o=partner_x,dc=example,dc=net" write by group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write by group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read by group.exact="cn=administrators,o=mycompany,dc=example,dc=net" write by group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read by anonymous auth by * none
# Keep partners out of mycompany db access to dn.sub="o=mycompany,dc=example,dc=net" by group.exact="cn=administrators,o=mycompany,dc=example,dc=net" write by group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read by dn.sub="o=partner_x,dc=example,dc=net" none by anonymous none by * none
# Allow the tool access to add and modify ToolAccessLevel, etc access to filter="(|(objectClass=DiagnosticsPerson)(objectClass=ToolsAccess))" by dn.base="cn=tooladmin,o=partner_x,dc=example,dc=net" write by group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write by group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read by group.exact="cn=administrators,o=mycompany,dc=example,dc=net" write by group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read by anonymous none by * read
# Finally, allow the main LDAP users access to everything else access to * by group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write by group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read by group.exact="cn=administrators,o=mycompany,dc=example,dc=net" write by group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read by anonymous none by * read
And the LDIFs:
# admin_partner_x, partner_x, example.net dn: cn=admin_partner_x,o=partner_x,dc=example,dc=net cn: admin_partner_x objectClass: groupOfNames description: Group of Admins with full access member: cn=ldapChain,o=partner_x,dc=example,dc=net member: cn=ldapEditor,o=partner_x,dc=example,dc=net
# admin_partner_x_RO, partner_x, example.net dn: cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net cn: admin_partner_x_RO objectClass: groupOfNames description: Group of Admins with readonly access member: cn=simpleBind,o=partner_x,dc=example,dc=net member: cn=syncRepl,o=partner_x,dc=example,dc=net
# tooladmin, partner_x, example.net dn: cn=tooladmin,o=partner_x,dc=example,dc=net sn: tooladmin cn: tooladmin userPassword:: dG9vbGFkbWlu description: To allow access for tools. Per ACLs, this guy has write access to passwords and tool levels objectClass: person
# jkane2, people, partner_x, example.net dn: uid=jkane2,ou=people,o=partner_x,dc=example,dc=net objectClass: person objectClass: posixAccount objectClass: DiagnosticsPerson objectClass: ToolsAccess cn: jkane2 loginShell: /bin/bash uidNumber: 3805 uid: jkane2 homeDirectory: /jkane2 sn: jkane2 gidNumber: 950 ToolAccessLevel: subinfo ToolDomain: example.net DiagAccessLevel: DIAG_USER_T1 DiagGroup: partner_x userPassword:: xxxxxxxxxxx
From the master, using some arbitrary user:
[jkane2@master]$ ldapadd -x -D 'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' -W <<EOF
dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net uid: testauserC description: asdf objectClass: account objectClass: simpleSecurityObject userPassword: testauser EOF
Enter LDAP Password: adding new entry "uid=testauserC,ou=people,o=partner_x,dc=example,dc=net" ldapadd: Insufficient access (50) additional info: no write access to parent
From the slave:
[jkane2@slave]$ ldapadd -x -D 'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' -W <<EOF
dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net uid: testauserC description: asdf objectClass: account objectClass: simpleSecurityObject userPassword: testauser EOF
Enter LDAP Password: adding new entry "uid=testauserC,ou=people,o=partner_x,dc=example,dc=net"
[jkane2@slave]$ ldapsearch -x -D 'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' uid=testauserC -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: uid=testauserC # requesting: ALL #
# testauserC, people, partner_x, example.net dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net uid: testauserC description: asdf objectClass: account objectClass: simpleSecurityObject
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.