Greetings.
In OpenLDAP (2.4.45, on FreeBSD), I'm trying to constrain the access of a DN to an attribute, by giving a DN access only when the connection is made via a socket; but without success. I may just be looking for an example of correct use.
What I'm trying is
olcAccess: to attrs=userPassword by dn.base="uid=pwreset,ou=service,dc=example,dc=edu" sockname.exact="/var/run/openldap/ldapi" write
(the idea is that the pwreset DN can be used by an automatic password-reset script, but that that DN will have that access only when the script is running on the same machine as the LDAP server).
This `by` phrase appears to match the production in Sect. 8.3 of the OpenLDAP access control documentation, and the remark in slapd.access(5) that the items in the <who> field ‘may be specified in combination’. And indeed there are no syntax warnings generated. I'm presuming that the combination implies an AND rather than an OR – this isn't made explicit in the documentation. I can find no examples covering this in either OpenLDAP documentation or on the web.
This stanza works when the sockname element is absent, suggesting that the configuration is otherwise working as I expect.
When I try to write the userPassword attribute using this DN, I get an ldap_modify: Insufficient access (50) error.
The OpenLDAP documentation doesn't (somewhat surprisingly) explicitly state what the effect of this sockname element is, and the slapd.access(5) page says, rather obliquely, that:
The statements peername=<peername>, sockname=<sockname>, domain=<domain>, and sockurl=<sockurl> mean that the contacting host IP (in the form IP=<ip>:<port> for IPv4, or IP=[<ipv6>]:<port> for IPv6) or the contacting host named pipe file name (in the form PATH=<path> if connecting through a named pipe) for peername, the named pipe file name for sockname, the contacting host name for domain, and the contacting URL for sockurl are compared against pattern to determine access.
Saying 'determine access' doesn't actually say very much.
Have I completely misunderstood the point of this access specification, or is there another way to do this?
Best wishes,
Norman
--On Wednesday, March 21, 2018 4:00 PM +0000 Norman Gray gray@nxg.name wrote:
Hi Norman,
sockname.exact="/var/run/openldap/ldapi" write
ITS#3050 has an example of using both sockname and sockurl in an ACL. I'll see about having an example added to the admin guide.
http://www.openldap.org/its/index.cgi/?findid=3050
Warm regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Qanah, hello.
On 22 Mar 2018, at 14:04, Quanah Gibson-Mount wrote:
Hi Norman,
sockname.exact="/var/run/openldap/ldapi" writeITS#3050 has an example of using both sockname and sockurl in an ACL. I'll see about having an example added to the admin guide.
Ah, many thanks.
I've just confirmed that
by dn.base="uid=pwreset,ou=service,dc=example,dc=edu" sockname.exact="PATH=/var/run/openldap/ldapi" =dxw
...does indeed work: the uid=pwreset DN does have write access with -H ldapi:///, but doesn't have that access when connecting over the network.
Looking again at the relevant paragraph in the slapd.access(5) manpage, I read it as indicating that the `PATH=<path>` syntax applies only to `peername`, and that `sockname` should have 'the named pipe file name'. It might be worth checking that the manpage does still completely reflect the code.
If that manpage is being revisited, then it would be useful to be explicit that the various constraints in a <who> stanza are ANDed together. This might naturally go near the text 'They may be specified in combination'.
And an example in the admin guide would indeed be most welcome.
Best wishes,
Norman
openldap-technical@openldap.org
-
Norman Gray -
Quanah Gibson-Mount