--On Friday, September 06, 2013 1:46 PM -0500 espeake@oreillyauto.com wrote:
From: Quanah Gibson-Mount quanah@zimbra.com To: espeake@oreillyauto.com Cc: openldap-technical@openldap.org Date: 09/06/2013 12:29 PM Subject: Re: SyncRepl Chaining
--On Friday, September 06, 2013 12:21 PM -0500 espeake@oreillyauto.com wrote:
add: olcAccess olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=passwordAdmin,ou=System,dc=oreillyauto,dc=com" write break
This should be "by * break" not "break"
You have no ACL granting access to the pseudo-attribute "entry".
I personally have as my last ACL:
olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
Here is the access list from a new slapcat, this is for olcDatabase={1}hdb
olcAccess: {0}to * by dn.base="uid=syncrepl,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=readOnlyUser,ou=System,dc=oreillyauto,dc=com" read by dn.base="uid=ldapAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base ="uid=newUserAdmin,ou=System,dc=oreillyauto,dc=com" write by dn.base="uid=p asswordAdmin,ou=System,dc=oreillyauto,dc=com" write by * break olcAccess: {1}to dn.subtree="dc=oreillyauto,dc=com" by group/groupOfUniqueNa mes/uniqueMember="cn=System Administrators,ou=Groups,dc=oreillyauto,dc=com" w rite by group/groupOfUniqueNames/uniqueMember="cn=LDAP Admin,ou=Groups,dc=o reillyauto,dc=com" write olcAccess: {2}to attrs=userPassword by group/groupOfUniqueNames/uniqueMember ="cn=Authenticate,ou=Groups,dc=oreillyauto,dc=com" write by anonymous read olcAccess: {3}to attrs=uid by anonymous read by users read olcAccess: {4}to attrs=ou,employeeNumber by users read olcAccess: {5}to dn.subtree="ou=System,dc=oreillyauto,dc=com" by dn.subtree= "ou=Users,dc=oreillyauto,dc=com" none by users read olcAccess: {6}to dn.children="ou=Groups,dc=oreillyauto,dc=com" by dnattr=own er write by dnattr=uniqueMember read by * none olcAccess: {7}to dn.children="ou=Users,dc=oreillyauto,dc=com" by self read by group/groupOfUniqueNames/uniqueMember="cn=Authenticate,ou=Groups,dc=oreill yauto,dc=com" read by * none olcAccess: {8}to * by self read by users read olcAccess: {9} to attrs=entry by dn.children="cn=admins" write by * read
Your acls are still clearly a mess.
olcAccess{1} blocks access to most of the tree for everything but two identities.
I would also note that ACL 9 is clearly never going to be evaluated because ACL{8} covers everything, and has no break clause.
I would also note that ACL2 is a significant security risk, as it grants read access on the user password attribute to anonymous, instead of AUTH access.
I would note that ACLs 5, 6, and 7 will never be evaluated because of ACL{1}
I would note that ACLS 3, 4, and 8 likely do not do anything, given ACL{1}, since the majority of the tree is closed to them. You probably want a by * break on ACL{1} as well.
I would note that the general way in which you've structured your ACLs makes them difficult to evaluate and maintain.
--Quanah
--
Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration