Hello,
I'd like to refine my permission set of my openldap installation. The tree structure is: dc=mydomain - cn=admin (ldap admin) - ou=domains (customer domains) - ou=example1.com - cn=user1 - cn=user2 - cn=postmaster - ou=example2.com - cn=user1 - cn=user2 - cn=postmaster
The user postmaster is able to change specific attributes of objects in its own "domain" (one level up).
The current ACLs are defined as:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
dn: cn=user3,ou=example2.com,ou=domains,dc=mydomain objectClass: CourierMailAccount objectClass: inetOrgPerson objectClass: top objectClass: Vacation cn: user3 homeDirectory: user3/example2.com/ mail: user.3@exampl2.com sn: User3 vacationActive: TRUE gidNumber: 5000 smtpRelayFlag: 1 uidNumber: 5000 userPassword:: <crypted password> vacationInfo:: <binary data>
I didn't find such an approach in Faq-O-Matic nor the manuals Thanks in advance for any advice
Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
Hello,
I'd like to refine my permission set of my openldap installation. The tree structure is: dc=mydomain
- cn=admin (ldap admin)
- ou=domains (customer domains)
- ou=example1.com
- cn=user1
- cn=user2
- cn=postmaster
- ou=example2.com
- cn=user1
- cn=user2
- cn=postmaster
The user postmaster is able to change specific attributes of objects in its own "domain" (one level up).
The current ACLs are defined as:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=sn,description,vacationActive,vacationInfo,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" by
dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
[...] man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter
On 05.08.2014, at 11:39, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
[…] by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
[...] man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter
Thanks Dieter, I tried the following already … instead of rule 3 and 4 i used the following:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
Am Tue, 5 Aug 2014 13:39:13 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
On 05.08.2014, at 11:39, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
[…] by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
[...] man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter
Thanks Dieter, I tried the following already … instead of rule 3 and 4 i used the following:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a write operation.
-Dieter
On 05.08.2014, at 15:00, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 5 Aug 2014 13:39:13 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
On 05.08.2014, at 11:39, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
[…] by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
[...] man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter
Thanks Dieter, I tried the following already … instead of rule 3 and 4 i used the following:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a write operation.
Okay, this didn't really help, but thanks anyway. I'm not familiar with reading those logs. i adjusted the loglevel to 128 to see the acl processing. but it's still a huge amount of log lines when adding such an ldif. i thought it's gonna be an easy task.
Am Tue, 5 Aug 2014 16:26:44 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
On 05.08.2014, at 15:00, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 5 Aug 2014 13:39:13 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
On 05.08.2014, at 11:39, Dieter Klünter dieter@dkluenter.de wrote:
Am Tue, 5 Aug 2014 09:41:36 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
[…] by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read access to * by dn.base="cn=admin,dc=mydomain" write by * read
ACL rule 4 allows the postmaster to add objects to it's "domain" without any restrictions. How can i restrict the object creation to specific object classes and attributes? Let's say postmaster should only be able to add objects like the following:
[...] man slapd.access(5), the <WHAT> field: @<objectClass>
-Dieter
Thanks Dieter, I tried the following already … instead of rule 3 and 4 i used the following:
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,vacationInfo,smtpRelayFlag,description,vacationForward,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=intra,dc=onnet,dc=ch$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=intra,dc=onnet,dc=ch" write by * read
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a write operation.
Okay, this didn't really help, but thanks anyway. I'm not familiar with reading those logs. i adjusted the loglevel to 128 to see the acl processing. but it's still a huge amount of log lines when adding such an ldif. i thought it's gonna be an easy task.
I am talking about debugging, not logging! man slapd(8)
-Dieter
On 05.08.2014, at 18:03, Dieter Klünter dieter@dkluenter.de wrote:
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a write operation.
Okay, this didn't really help, but thanks anyway. I'm not familiar with reading those logs. i adjusted the loglevel to 128 to see the acl processing. but it's still a huge amount of log lines when adding such an ldif. i thought it's gonna be an easy task.
I am talking about debugging, not logging! man slapd(8)
can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none
access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by * read
access to * by dn.base="cn=admin,dc=mydomain" write by * read
appreciate your help! simeon
On 05.08.2014, at 22:41, Simeon Ott simeon.ott@onnet.ch wrote:
On 05.08.2014, at 18:03, Dieter Klünter dieter@dkluenter.de wrote:
As postmaster I'm still able to add objects to it's domain. But I'm also able to add other objectclasses and attributes.
I think I mess around with the attributes entry and children – anyone help me cleaning up? :-)
run slapd in debugging mode acl and watch the rule number applied to a write operation.
Okay, this didn't really help, but thanks anyway. I'm not familiar with reading those logs. i adjusted the loglevel to 128 to see the acl processing. but it's still a huge amount of log lines when adding such an ldif. i thought it's gonna be an easy task.
I am talking about debugging, not logging! man slapd(8)
can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none
access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by * read
access to * by dn.base="cn=admin,dc=mydomain" write by * read
appreciate your help! simeon
<debug_output_write.txt>
the filter statement below actually did the trick.
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by anonymous auth by * none
access to attrs=userPassword by dn.base="cn=admin,dc=mydomain" write by self write by anonymous auth by * none
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by * read
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=entry,cn,uidNumber,gidNumber,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title filter="(&(objectClass=CourierMailAccount)(objectClass=inetOrgPerson)(objectClass=top)(objectClass=Vacation))" by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by * read
access to * by dn.base="cn=admin,dc=mydomain" write by * read
Am Tue, 5 Aug 2014 22:41:54 +0200 schrieb Simeon Ott simeon.ott@onnet.ch:
On 05.08.2014, at 18:03, Dieter Klünter dieter@dkluenter.de wrote:
can you help me finding the applied rule during the write process of an object with uid=1234? i used other objectclasses and attributes, which are not in the allowed attribute list. the debugging output is attached to this email. the current acl set is listed below.
[...]
access to dn.regex="^(.+,)?ou=(.+),ou=domains,dc=mydomain$" attrs=@CourierMailAccount,@inetOrgPerson,@top,@Vacation,entry,cn,sn,homeDirectory,vacationActive,vacationInfo,vacationForward,smtpRelayFlag,description,displayName,givenName,homePhone,homePostalAddress,initials,mobile,postalAddress,postalCode,l,telephoneNumber,title by self write by dn.base,expand="cn=postmaster,ou=$2,ou=domains,dc=mydomain" write by
- read
access to dn.regex="^ou=(.+),ou=domains,dc=mydomain$" attrs=children by dn.base,expand="cn=postmaster,ou=$1,ou=domains,dc=mydomain" write by
- read
This 2 rule sets are applied, objectClasses are expanded and all attribute types of this objectclassses are write allowed. the restricting attribute types are not considered, as @<objectClass> is applied and matched.
-Dieter
openldap-technical@openldap.org
-
Dieter Klünter -
Simeon Ott