I am having some difficulty setting up the ACLs on my OpenLDAP server (2.4.8). No matter what I change, the ACL rules I write into my slapd.conf file seem to have no effect at all.
I have followed the FAQ here to try to set a simple password change ACL: http://www.openldap.org/faq/data/cache/320.html
As well as another to try to block Anonymous binds: http://www.openldap.org/faq/data/cache/318.html
But neither seem to have any effect at all. My present slapd.conf ACLs are as follows: --- access to attrs=userPassword by self =xw by anonymous auth
# allow only rootdn to read the monitor access to * by self write by anonymous none by users read --- Is there some other part of the configuration that might disable ACLs.
nick@ndmckinney.net writes:
I am having some difficulty setting up the ACLs on my OpenLDAP server (2.4.8). No matter what I change, the ACL rules I write into my slapd.conf file seem to have no effect at all.
Have you stopped and restarted slapd? Only then do slapd.conf changes take effect.
Which client command are you using, how do you expect it to behave, and how does it actually behave?
As well as another to try to block Anonymous binds: http://www.openldap.org/faq/data/cache/318.html
Hmph, that's misleading. That doesn't block anonymous Bind, it blocks anonymously bound (or unbound) connections from accessing the directory. And without a userPassword acl above it, it also blocks users from Binding:-) See also the 'disallow' directive.
But neither seem to have any effect at all. My present slapd.conf ACLs are as follows:
No other acls? Do they occur in a database definition or above the database definitions?
access to attrs=userPassword by self =xw by anonymous auth # allow only rootdn to read the monitor
The monitor? Then this one is presumably below 'database monitor' in slapd.conf?
access to * by self write by anonymous none by users read
Le 4 juin 08 à 10:49, Hallvard B Furuseth a écrit :
nick@ndmckinney.net writes:
I am having some difficulty setting up the ACLs on my OpenLDAP server (2.4.8). No matter what I change, the ACL rules I write into my slapd.conf file seem to have no effect at all.
Have you stopped and restarted slapd? Only then do slapd.conf changes take effect.
Of course I've restarted slapd.
Which client command are you using, how do you expect it to behave, and how does it actually behave?
At the moment, I just want the user to be able to change his password. When I run this command:
slapacl -D "uid=ndmckinney,ou=accounts,o=example.com,dc=example,dc=com" -b "uid=ndmckinney,ou=accounts,o=example.com,dc=example,dc=com"
The relevant result is: userPassword=****: read(=rscxd)
I am expecting to it to return (=xw). Futher, when I check the log (loglevel 128), it reports "access_allowed: backend default write access denied to "uid=ndmckinney,ou=accounts,o=example.com,dc=example,dc=com"
As well as another to try to block Anonymous binds: http://www.openldap.org/faq/data/cache/318.html
Hmph, that's misleading. That doesn't block anonymous Bind, it blocks anonymously bound (or unbound) connections from accessing the directory. And without a userPassword acl above it, it also blocks users from Binding:-) See also the 'disallow' directive.
Perhaps I misunderstand the FAQ. Wouldn't this prevent the anonymous from seeing anything? I'll look into the 'disallow' directive as well, but right now I'm more interested in making sure my ACLs work at all.
But neither seem to have any effect at all. My present slapd.conf ACLs are as follows:
No other acls? Do they occur in a database definition or above the database definitions?
No other ACLs. I double-checked to make sure there wasn't anything hidden above the database definition.
access to attrs=userPassword by self =xw by anonymous auth # allow only rootdn to read the monitor
The monitor? Then this one is presumably below 'database monitor' in slapd.conf?
access to * by self write by anonymous none by users read
Yes. These two were in the order found in my slapd.conf file, and both are below "database monitor"
Regards, Nick
--On Wednesday, June 04, 2008 5:07 PM -0400 Nicholas David McKinney nick@ndmckinney.net wrote:
Yes. These two were in the order found in my slapd.conf file, and both are below "database monitor"
Why would you have passwords in the monitor database? I'm guessing your users would be in a BDB database somewhere in dc=example,dc=com. I'm guessing you didn't actually set any ACLs on that database, so of course it grants the default.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Eureka! I was wondering why I wasn't making a difference; I wasn't. Permissions are where they belong now, so I'm on my way. Thanks to everyone for their help!
Regards, Nick
Le 4 juin 08 à 20:14, Quanah Gibson-Mount a écrit :
--On Wednesday, June 04, 2008 5:07 PM -0400 Nicholas David McKinney <nick@ndmckinney.net
wrote:
Yes. These two were in the order found in my slapd.conf file, and both are below "database monitor"
Why would you have passwords in the monitor database? I'm guessing your users would be in a BDB database somewhere in dc=example,dc=com. I'm guessing you didn't actually set any ACLs on that database, so of course it grants the default.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Hallvard B Furuseth -
Nicholas David McKinney -
nick@ndmckinney.net
-
Quanah Gibson-Mount