1:36 a.m.
Hi @all,
I struggle with the ACLs, I whant a special account to check the username and PW of the
entries on the LDAP-server.
Therefore I’ve written the following in the slapd.conf file:
access to attrs=userPassword
by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
by self write
by anonymous none
access to *
by * write
by anonymous none
But I can’t authenticate to the LDAP server, does somebody know why?
Greetings
John
1:43 a.m.
Fischer, Johannes wrote:
Hi @all,
I struggle with the ACLs, I whant a special account to check the username and PW of the
entries on the LDAP-server.
Therefore I’ve written the following in the slapd.conf file:
access to attrs=userPassword
by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
by self write
by anonymous none
[..]
But I can’t authenticate to the LDAP server, does somebody know why?
Use "by * auth" at the end of the ACL.
Ciao, Michael.
2:18 a.m.
On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote:
Hi @all,
I struggle with the ACLs, I whant a special account to check the username
and PW of the entries on the LDAP-server.
Therefore I’ve written the following in the slapd.conf file:
access to attrs=userPassword
by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
by self write
by anonymous none
this acl makes everyone able to write everything (except the password
that can be written by cn=authenticate and self),
and makes it impossible to bind not-anonimously
if you want users to be able to authenticate you shoud give 'anonymous'
users auth permissions to the userpassword attr:
access to attrs=userpassword
# allow connections to bind as user
by anonymous auth
# allow self password change
by self write
# allow cn=authenticate password change
by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
access to *
by * write
by anonymous none
But I can’t authenticate to the LDAP server, does somebody know why?
this rule makes everyone able to modify/add anything to your directory
(except from the userpassword attribute, managed by the first rule)
Greetings
John
bye,
dario
2:29 a.m.
Dario Zanzico wrote:
On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote:
> I struggle with the ACLs, I whant a special account to check the username
> and PW of the entries on the LDAP-server.
> Therefore I’ve written the following in the slapd.conf file:
>
> access to attrs=userPassword
> by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
> by self write
> by anonymous none
this acl makes everyone able to write everything (except the password
that can be written by cn=authenticate and self),
and makes it impossible to bind not-anonimously
if you want users to be able to authenticate you shoud give 'anonymous'
users auth permissions to the userpassword attr:
access to attrs=userpassword
# allow connections to bind as user
by anonymous auth
# allow self password change
by self write
# allow cn=authenticate password change
by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
Also note that "write" also includes "read" access which is not
necessary.
Better use privileges.
I've compiled some of my usual simple patterns into this example config:
https://build.opensuse.org/package/view_file/home:stroeder:branches:netwo...
YMMV. So everybody caring for real access control should really dive into
slapd.access(5) [1].
[1] http://www.openldap.org/software/man.cgi?query=slapd.access
Ciao, Michael.
10:03 a.m.
Hi,
+1 and..
A good way to think the acl rules construction is to say:
1/ the rules lines are scanned from top to bottom
2/ Every line is scanned from left to right
3/ When ldap query match one rule the scan process is *immediately* stopped.
In this this case: "access to * by * write by anonymous none"
"by anonymous" is *never* scanned because it is at the right of "by *"
who match everything
Cheers.
Le 23/09/2015 11:29, Michael Ströder a écrit :
Dario Zanzico wrote:
> On Wed, Sep 23, 2015, at 10:36 AM, Fischer, Johannes wrote:
>> I struggle with the ACLs, I whant a special account to check the username
>> and PW of the entries on the LDAP-server.
>> Therefore I’ve written the following in the slapd.conf file:
>>
>> access to attrs=userPassword
>> by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
>> by self write
>> by anonymous none
>
> this acl makes everyone able to write everything (except the password
> that can be written by cn=authenticate and self),
> and makes it impossible to bind not-anonimously
>
> if you want users to be able to authenticate you shoud give 'anonymous'
> users auth permissions to the userpassword attr:
>
> access to attrs=userpassword
> # allow connections to bind as user
> by anonymous auth
> # allow self password change
> by self write
> # allow cn=authenticate password change
> by dn="cn=authenticate,dc=vfk,dc=ldap,dc=com" write
Also note that "write" also includes "read" access which is not
necessary.
Better use privileges.
I've compiled some of my usual simple patterns into this example config:
https://build.opensuse.org/package/view_file/home:stroeder:branches:netwo...
YMMV. So everybody caring for real access control should really dive into
slapd.access(5) [1].
[1] http://www.openldap.org/software/man.cgi?query=slapd.access
Ciao, Michael.
--
*Abdelhamid Meddeb*
http://www.meddeb.net
2431
days inactive
2431
days old
openldap-technical@openldap.org
4 comments
4 participants
participants (4)
-
Abdelhamid Meddeb -
Dario Zanzico -
Fischer, Johannes -
Michael Ströder