12:45 p.m.
All,
I am inheriting the support of small openldap deployment and I am new to it. I have a
request to create a security group to this implementation and only users in this group
should have access to manage objects in the ldap.
We have something like this:
+-dc=nocinbox,dc=com
+---ou=groups
+---cn=admin
+---cn=app-admin
+---cn=sec-admin
+---ou=users
+---cn=admin
+---cn=appadmin
+---cn=appadmin2
+---cn=secadmin
In the olcDatabase configuration I have the following:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by
set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid" write
by * read
And only secadmin can make changes in the LDAP, that is great.
However, all other users can ldapsearch:
$ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D
"cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses
ldap_initialize( ldaps://openldap:636/??base )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# numResponses: 29
Is there any olcAccess configuration I can used to not allow any user to run ldapsearch
but still able to authenticate them? They still need to ssh and access some web servers.
Thank you very much,
Gerson
11:25 p.m.
New subject: Antw: [EXT] Re: How to allow openldap searches for all just one group
>> Quanah Gibson-Mount <quanah(a)fast-mail.org> schrieb am
30.04.2022 um 00:54
in
Nachricht <28499A685B1FAE689838078F(a)[192.168.1.17]>:
‑‑On Friday, April 29, 2022 10:42 PM +0000 gerson.garcia(a)itron.com wrote:
> Quanah,
>
> Yes I read it and tried replace "by * read" by "by * auth" and
"by *
> none" but then nobody could access it. Like I said, I am new on this, any
> support other than google it, I would appreciate it.
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
Is there any security implication if one uses ".. by self write by * auth"
instead?
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by
set="[cn=sec‑admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid"
write by * read
The only thing that requires anonymous auth access is the userPassword
attribute. However, other permissions may be necessary depending on the
operations. It's important as well to understand the section on the pseudo
attribute "entry too.
‑‑Quanah
3:54 p.m.
--On Friday, April 29, 2022 10:42 PM +0000 gerson.garcia(a)itron.com wrote:
Quanah,
Yes I read it and tried replace "by * read" by "by * auth" and
"by *
none" but then nobody could access it. Like I said, I am new on this, any
support other than google it, I would appreciate it.
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by
set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid"
write by * read
The only thing that requires anonymous auth access is the userPassword
attribute. However, other permissions may be necessary depending on the
operations. It's important as well to understand the section on the pseudo
attribute "entry too.
--Quanah
2:42 p.m.
Quanah,
Yes I read it and tried replace "by * read" by "by * auth" and
"by * none" but then nobody could access it. Like I said, I am new on this, any
support other than google it, I would appreciate it.
Thank you,
2:22 p.m.
--On Friday, April 29, 2022 8:45 PM +0000 gerson.garcia(a)itron.com wrote:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth
by *
none olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by
set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid"
write by * read
And only secadmin can make changes in the LDAP, that is great.
However, all other users can ldapsearch:
$ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D
"cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses
ldap_initialize( ldaps://openldap:636/??base )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# numResponses: 29
Is there any olcAccess configuration I can used to not allow any user to
run ldapsearch but still able to authenticate them? They still need to
ssh and access some web servers.
I suggest reading slapd.access(5) and understanding what "by * read"
implies and then adjust your ACLs accordingly.
--Quanah
59
days inactive
62
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
gerson.garcia@itron.com -
Quanah Gibson-Mount -
Ulrich Windl