12:48 a.m.
Damn ! my ACL don't work despites your help :-/
In the log it seems that "supervision" can't access dc=fr, it starts from
dc=gouv,dc=fr.
Without rule#3, it's ok because of rule #5.
But with rule#3 it's supposed to match contextCSN
Thanks guys.
Here are my ACL :
# 1) Admin's branch
access to dn.subtree="ou=Comptes Admin,dc=fr"
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by self auth
by users auth
by anonymous auth
# 2) userPassword accessible by all
access to * attrs=userPassword
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by users auth
by anonymous auth
by * none
*# 3) ********* CONTEXTCSN **********
*access to dn.base="dc=fr" attrs=entry,children,contextcsn*
* by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by
dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none*
# 4) Certificate
access to *
attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by * none
# 5) Branch dc=gouv,dc=fr
access to dn.subtree="dc=gouv,dc=fr"
by dn.subtree="ou=Comptes Clients,dc=fr" read
by dn.subtree="ou=Comptes Admin,dc=fr" write
by * none
# 6) All the tree
access to *
by dn.exact="cn=root,dc=fr" write
by dn.subtree="ou=Comptes Admin,dc=fr" read
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by self none
by users none
by anonymous none
by * none
On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
--On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
<dieter(a)dkluenter.de> wrote:
> Am Tue, 16 Oct 2018 15:51:50 +0200
> schrieb Lirien Maxime <maxime.lirien(a)gmail.com>:
>
>> Hi all,
>> thanks for reading.
>> I have a "supervision" account on all my ldap servers. With the
plugin
>> nagios , it check the synchro. I would like this account read only
>> contextcsn to check synchro. And only contextcsn not the other
>> entries. (plugin check nagios).
>> Can someone help me to write the right ACL ?
>>
>> Here what I tried but not really right :-/
>> # ContextCSN
>> access to dn.subtree="dc=fr" attrs=contextCSN
>> by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
>> by * none
>
> access to dn.base=dc=fr
> attrs=entry,children,contextCSN read
I'd also be careful of doing "by * none" to the contextCSN, etc, as that
can break replication depending on the DN that binds to the master(s),
since the replication DN must be able to read the contextCSN.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
8:47 a.m.
New subject: Check synchro : access only to contextcsn
Am Thu, 18 Oct 2018 09:48:22 +0200
schrieb Lirien Maxime <maxime.lirien(a)gmail.com>:
Damn ! my ACL don't work despites your help :-/
Run slapd in debugging mode 'acl' or test with slapacl(8)
note that contextCSN is stored in root entry.
-Dieter
In the log it seems that "supervision" can't access dc=fr, it starts
from dc=gouv,dc=fr.
Without rule#3, it's ok because of rule #5.
But with rule#3 it's supposed to match contextCSN
Thanks guys.
Here are my ACL :
# 1) Admin's branch
access to dn.subtree="ou=Comptes Admin,dc=fr"
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by self auth
by users auth
by anonymous auth
# 2) userPassword accessible by all
access to * attrs=userPassword
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by users auth
by anonymous auth
by * none
*# 3) ********* CONTEXTCSN **********
*access to dn.base="dc=fr" attrs=entry,children,contextcsn*
* by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by
dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none*
# 4) Certificate
access to *
attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by * none
# 5) Branch dc=gouv,dc=fr
access to dn.subtree="dc=gouv,dc=fr"
by dn.subtree="ou=Comptes Clients,dc=fr" read
by dn.subtree="ou=Comptes Admin,dc=fr" write
by * none
# 6) All the tree
access to *
by dn.exact="cn=root,dc=fr" write
by dn.subtree="ou=Comptes Admin,dc=fr" read
by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
by self none
by users none
by anonymous none
by * none
On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
> <dieter(a)dkluenter.de> wrote:
>
> > Am Tue, 16 Oct 2018 15:51:50 +0200
> > schrieb Lirien Maxime <maxime.lirien(a)gmail.com>:
> >
> >> Hi all,
> >> thanks for reading.
> >> I have a "supervision" account on all my ldap servers. With the
> >> plugin nagios , it check the synchro. I would like this account
> >> read only contextcsn to check synchro. And only contextcsn not
> >> the other entries. (plugin check nagios).
> >> Can someone help me to write the right ACL ?
> >>
> >> Here what I tried but not really right :-/
> >> # ContextCSN
> >> access to dn.subtree="dc=fr" attrs=contextCSN
> >> by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr"
read
> >> by * none
> >
> > access to dn.base=dc=fr
> > attrs=entry,children,contextCSN read
>
> I'd also be careful of doing "by * none" to the contextCSN, etc, as
> that can break replication depending on the DN that binds to the
> master(s), since the replication DN must be able to read the
> contextCSN.
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by
> OpenLDAP: <http://www.symas.com>
>
>
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
1877
days inactive
1877
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Dieter Klünter -
Lirien Maxime