Hello,
I tried to filter out everyone except cn=config when my ACL filter rule is true (a NAME type attribute matches a value), so that password authentication for filtered-out users would fail. It works for regular users, and does not for admins. Is this because my ACL rules are wrong, or is this a feature of OpenLDAP? Why no matter what I do
My LDIF is below:
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(!(serviceLevel=suspended)) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {4}to * filter=(!(serviceLevel=suspended)) by self write by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * read
Is there something special about LDAP administrator, by design?
Thank you,
Igor Shmukler
Hi,
For those, for mind find this thread through google and like me overwhelmed with information won't understand the documentation. The RootDN cannot be restricted from having privileges under OpenLDAP 2.4. Hence, ACLs won't do anything for RootDN. This is documented.
Someone, elsewhere pointed this out for me.
Sincerely,
Igor Shmukler
On Wed, Apr 15, 2015 at 5:41 PM, Igor Shmukler igor.shmukler@gmail.com wrote:
Hello,
I tried to filter out everyone except cn=config when my ACL filter rule is true (a NAME type attribute matches a value), so that password authentication for filtered-out users would fail. It works for regular users, and does not for admins. Is this because my ACL rules are wrong, or is this a feature of OpenLDAP? Why no matter what I do
My LDIF is below:
dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(!(serviceLevel=suspended)) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(serviceLevel=suspended) by dn="cn=config" write by * none olcAccess: {4}to * filter=(!(serviceLevel=suspended)) by self write by dn="cn=admin,dc=directory,dc=com" write by dn="cn=config" write by * read
Is there something special about LDAP administrator, by design?
Thank you,
Igor Shmukler
--On Thursday, April 16, 2015 9:28 PM +0200 Igor Shmukler igor.shmukler@gmail.com wrote:
Hi,
For those, for mind find this thread through google and like me overwhelmed with information won't understand the documentation. The RootDN cannot be restricted from having privileges under OpenLDAP 2.4. Hence, ACLs won't do anything for RootDN. This is documented.
From the slapd.access(5) man page:
Be warned: the rootdn can always read and write EVERYTHING!
From the OpenLDAP 2.4 Admin Guide section on Access Control:
http://www.openldap.org/doc/admin24/access-control.html
The default access control policy is allow read by all clients. Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.
So, it seems to me, it is quite clearly documented in multiple locations.
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
openldap-technical@openldap.org
-
Igor Shmukler -
Quanah Gibson-Mount