Hi all,
would it be possible to configure a content-based access control? I have following configuration: my ldap contains user data. Some of the users are local ones and have a regular password entry. They shall be able to change their password. Other users are remotely authenticated with saslauthd. They shall not be able to change their 'password' which is just a redirection.
Example:
dn: uid=remoteuser,ou=People,dc=mydomain,dc=de uid: remoteuser cn: Adam Example uidNumber: 9007 gidNumber: 90 sn: Example userPassword: {SASL}remoteuser
dn: uid=localuser,ou=People,dc=mydomain,dc=de uid: localuser cn: Bruce Somename uidNumber: 1001 gidNumber: 10 sn: Somename userPassword: {SHA}03de6c570bfe24bfc328ccd7ca46b76eadaf4334
User localuser shall be able to change his password, user remoteuser not. Can this be done by a fancy ACL entry, rejecting to change passwords starting with '{SASL}' ?
Thanks in advance, Frank
Frank Rust wrote:
Hi all,
would it be possible to configure a content-based access control?
Yes. Read the slapd.access(5) manpage.
I have following configuration: my ldap contains user data. Some of the users are local ones and have a regular password entry. They shall be able to change their password. Other users are remotely authenticated with saslauthd. They shall not be able to change their 'password' which is just a redirection.
I did read, but slapd does it the wrong way. My slapd.conf does contain following:
# forbid writing to userPassword for entries starting with {SASL} access to attrs=userPassword val.regex="SASL}.*" by * auth stop
# allow writing to ldapclient and self, otherwise only auth access to attrs=userPassword,userPKCS12,sambaNTPassword,sambaLMPassword by dn="cn=ldapclient,dc=mydomain,dc=de" write by self write by * auth
What I expect is that an entry with an existing userPasswd of '{SASL}something' will not be writable by any user.
What I get is that the ldapclient and 'self' can write new userPasword if the content of the *NEW* password does not contain {SASL}.
I don't understand how to get it working in my way.
Protocol: ---------
Database has following entries (shortened):
dn: uid=frust,ou=People,dc=mydomain,dc=de userPassword:: geheim
dn: uid=someone,ou=People,dc=mydomain,dc=de userPassword:: {SASL}someone
Now try to change entries:
ldapmodify -x -v -D 'cn=ldapclient,dc=mydomain,dc=de' -W dn: uid=someone,ou=People,dc=mydomain,dc=de changetype: modify replace: userPassword userPassword: newpass -
Enter LDAP Password: replace userPassword: newpass modifying entry "uid=someone,ou=People,dc=mydomain,dc=de" modify complete
ldapmodify -x -v -D 'cn=ldapclient,dc=mydomain,dc=de' -W dn: uid=frust,ou=People,dc=mydomain,dc=de changetype: modify replace: userPassword userPassword: {SASL}abc -
Enter LDAP Password: replace userPassword: {SASL}abc modifying entry "uid=frust,ou=People,dc=mydomain,dc=de" ldap_modify: Insufficient access (50)
Am Freitag, den 26.11.2010, 05:09 -0800 schrieb Howard Chu:
Frank Rust wrote:
Hi all,
would it be possible to configure a content-based access control?
Yes. Read the slapd.access(5) manpage.
I have following configuration: my ldap contains user data. Some of the users are local ones and have a regular password entry. They shall be able to change their password. Other users are remotely authenticated with saslauthd. They shall not be able to change their 'password' which is just a redirection.
openldap-technical@openldap.org
-
Frank Rust -
Howard Chu