Hi!
It seems I did not understand the "by * break" compared to plain "break" from the manual page: I thought the control "binds to" "<what>", while it seems it "binds to" "<who>". So I thought "by * break" means "by * none break", and as "by * none" seems to be the default, I left out the "by *". Maybe the manual page could be a bit more clearer on that.
Kind regards, Ulrich
-----Original Message----- From: Quanah Gibson-Mount quanah@fast-mail.org Sent: Friday, June 21, 2024 6:11 PM To: Windl, Ulrich u.windl@ukr.de; openldap-technical <openldap- technical@openldap.org> Subject: [EXT] RE: Re: FW: Accessing ppolicy attributes as non-admin in 2.4
--On Friday, June 21, 2024 9:24 AM +0000 "Windl, Ulrich" u.windl@ukr.de wrote:
Hi
Sorry, I have to use Outlook that seems unable to support quoting a message for replying, so I top-post:
Why hdb? So far it worked fine for us, and mdb seems to need much more space in RAM and on disk.
This is factually incorrect. MDB requires fewer resources to operate, including RAM and disk space.
https://mishikal.wordpress.com/category/openldap-benchmarking/
I would also note that:
a) You're using ppolicy, which has been substantially reworked and improved in later releases. b) OpenLDAP 2.4 only supports unsupported versions of OpenSSL that now have open CVEs against them (although if you're linked to the OS openssl, at least for now, they probably are paying for extended support). This will eventually run out however.
" Which attribute(s) does it need to read?" Everything needed to examine the status of the account (change of password, policy, policiy's settings)
So my ACLs are not correct it seems.
What I don't understand is this: The manual says about break: "... while the break form allows for other <access> clauses that match the same target to be processed.", so I thought using break WILL allow the following clauses to be processed, while you seem to tell the opposite.
As I understand my ACLs is this: # 0 allows read for replication # 1: prevents the admin users to be read from roleOccupant # 2: allows reading pp attributes for the checker account, and using # "break" should mean to continue checking other rules 3 should allow # users to change the password and certificate, as well as authenticate
You put break on *pp*'s access, meaning that the access rule for PP is modified by the following rules. If you want PP's access to be *unchanged* by the following rules, you need to remove "break" for *it*. And then add a rule that breaks it (continues processing) for all other identities.
These are terrible examples, but hopefully they help with understanding the difference:
Example 1:
access to attr=blah by joe read break access to attr=blah by * none
-> Joe has no access "blah" because his access line has a "break" clauses, so it is affected by the following ACL.
Example 2:
access to attr=blah by joe read by * break access to attr=blah by * none
-> Joe has full read acess to blah, all other identities will have no access.
--Quanah