Hi,
I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)
I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.
The machine itself is considered secure.
Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.
How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?
================
On an aside - I've tried unauthenticated localhost access - but cannot get that to work. This would be less desirable as anyone with ssh access to the server would be abloe to bypass security - but I'm still curious to know what I did wrong.
My slapd.d entries are:
cat /etc/ldap/slapd.d/cn=config.ldif ======================================================================= dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 62952116-3777-1031-8e1b-bfeeb6e70114 creatorsName: cn=config createTimestamp: 20120521095922Z entryCSN: 20120521095922.839791Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120521095922Z olcAllows: bind_anon_cred bind_anon_dn update_anon ### <<< Added this =======================================================================
cat /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif ======================================================================= dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=cch,dc=kcl,dc=ac,dc=uk olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by peername.regex=127.0.0.1 manage ###<<< Added olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk olcRootPW:: e1NTSEF9TVFtdlA4Q2FJUjZqOEdpMytlcWd5Zk1BUWFjVmpGM1c= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 62964ee2-3777-1031-8e25-bfeeb6e70114 creatorsName: cn=admin,cn=config createTimestamp: 20120521095922Z entryCSN: 20120521095922.847576Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20120521095922Z =======================================================================
Sorry this is a bit of a numpty question - I'm learning slapd - in a hurry(!)
Many thanks in advance :)
Tim