Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none
which works fine on the "real" DN dc=dighum,dc=kcl,dc=ac,dc=uk - I can add extra attrs like homeDirectory and an unauth'd ldapsearch will not list them - eg:
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=dighum,dc=kcl,dc=ac,dc=uk
However, an
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
lists the "virtual copy" tree AND includes the userPassword attr for each entry which of course, is rather bad.
Anyone see why the ACLs are not being applied to the results of the relay/rwm section?
Many thanks,
Tim
slapd.conf
####################################################################### # Global Directives:
# Features to permit #allow bind_v2
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values loglevel -1
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm
# The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1
allow bind_anon_cred bind_anon_dn update_anon
backend hdb #backend <other>
overlay rwm rwm-rewriteEngine on
# Virtual maps # # map ou=staff,dc=cch to dc=dighum # database relay suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
####################################################################### # Specific Directives for database dighum # database hdb suffix dc=dighum,dc=kcl,dc=ac,dc=uk rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" rootpw "CENSORED" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30
####################################################################### # ACLs # access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by self write by * read
####################################################################### # Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): #database <other> #suffix "dc=debian,dc=org"
--On Wednesday, June 20, 2012 1:20 PM -0400 Frank Swasey Frank.Swasey@uvm.edu wrote:
On 6/20/12 1:08 PM, Tim Watts wrote:
Hi,
Sorry - can't figure this out - would welcome any ideas :)
Think of your rootdn as God, ACLs do not apply. Even if they did, write access implies read (iirc)
I think his search example was bad. He said he was unauthed. :P
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 20/06/12 18:44, Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2012 1:20 PM -0400 Frank Swasey Frank.Swasey@uvm.edu wrote:
On 6/20/12 1:08 PM, Tim Watts wrote:
Hi,
Sorry - can't figure this out - would welcome any ideas :)
Think of your rootdn as God, ACLs do not apply. Even if they did, write access implies read (iirc)
I think his search example was bad. He said he was unauthed. :P
Yes - although there was a bind DN, no password is offered... Sorry - bit confusing...
--On Wednesday, June 20, 2012 6:08 PM +0100 Tim Watts tw@dionic.net wrote:
Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
Your ACLs are only set in the HDB backend section. Have you tried adding ACLs to the relay DB?
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 20/06/12 18:21, Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2012 6:08 PM +0100 Tim Watts tw@dionic.net wrote:
Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
Your ACLs are only set in the HDB backend section. Have you tried adding ACLs to the relay DB?
Hi Quanah,
I was thinking it might be something like that - but I could not work out the scope of the ACLs - they looked global to me.
So do I have to duplicate the ACLs just after the "database relay" section?
################################################## # Virtual maps # # map ou=staff,dc=cch to dc=dighum # database relay suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
<ACL section duplicated> ###################################################
If so, that makes sense - my bad for assuming the ACL section was a global section by itself...
Cheers
Tim
--On Wednesday, June 20, 2012 7:08 PM +0100 Tim Watts tw@dionic.net wrote:
On 20/06/12 18:21, Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2012 6:08 PM +0100 Tim Watts tw@dionic.net wrote:
Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
Your ACLs are only set in the HDB backend section. Have you tried adding ACLs to the relay DB?
Hi Quanah,
I was thinking it might be something like that - but I could not work out the scope of the ACLs - they looked global to me.
So do I have to duplicate the ACLs just after the "database relay" section?
Correct.
ACLs are only global if they appear before any backend database definitions.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
On 20/06/12 19:20, Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2012 7:08 PM +0100 Tim Watts tw@dionic.net wrote:
On 20/06/12 18:21, Quanah Gibson-Mount wrote:
--On Wednesday, June 20, 2012 6:08 PM +0100 Tim Watts tw@dionic.net wrote:
Hi,
Sorry - can't figure this out - would welcome any ideas :)
The slapd.conf below contains an ACL:
Your ACLs are only set in the HDB backend section. Have you tried adding ACLs to the relay DB?
Hi Quanah,
I was thinking it might be something like that - but I could not work out the scope of the ACLs - they looked global to me.
So do I have to duplicate the ACLs just after the "database relay" section?
Correct.
ACLs are only global if they appear before any backend database definitions.
Awesome! - Thanks for that explanation... As it happens, I would like some global ACLs and maybe a minor override for the relay section.
I'll try some of that out on my test server :)
Cheers!
Tim
Hi,
Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
does not return userPassword attributes (the -D is convenience, no auth is performed).
However,
ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
Does return userPassword - which is what I want. The UNIX domain socket is protected under a root directory mode 700 so only root can connect this way - ie, local root use has full unauthenticated access to ldap which is what I want, so that scripts may easily be run to maintain the LDAP database.
Thanks again for your help :)
Cheers,
Tim
####################################################################### # Global Directives:
# Features to permit #allow bind_v2
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values loglevel -1
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload back_relay moduleload rwm
# The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1
allow bind_anon_cred bind_anon_dn update_anon
backend hdb #backend <other>
overlay rwm rwm-rewriteEngine on
####################################################################### # ACLs # access to attrs=userPassword,shadowLastChange by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by anonymous auth by self write by * none
access to dn.base="" by * read
access to * by peername.path="/var/run/slapd/ldapi" write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" write by self write by * read
####################################################################### # Virtual maps # # map ou=staff,dc=cch to dc=dighum # database relay suffix "ou=staff,dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map ou=external,dc=cch to dc=dighum # #database relay #suffix "ou=external,dc=cch,dc=kcl,dc=ac,dc=uk" #relay "dc=dighum,dc=kcl,dc=ac,dc=uk" #overlay rwm #rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map ou=student,dc=cch to dc=dighum # #database relay #suffix "ou=student,dc=cch,dc=kcl,dc=ac,dc=uk" #relay "dc=dighum,dc=kcl,dc=ac,dc=uk" #overlay rwm #rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map ou=project,dc=cch to dc=dighum # #database relay #suffix "ou=project,dc=cch,dc=kcl,dc=ac,dc=uk" #relay "dc=dighum,dc=kcl,dc=ac,dc=uk" #overlay rwm #rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk" # # map dc=cch to dc=dighum # database relay suffix "dc=cch,dc=kcl,dc=ac,dc=uk" relay "dc=dighum,dc=kcl,dc=ac,dc=uk" overlay rwm rwm-suffixmassage "dc=dighum,dc=kcl,dc=ac,dc=uk"
####################################################################### # Specific Directives for database dighum # database hdb suffix dc=dighum,dc=kcl,dc=ac,dc=uk rootdn "cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" rootpw "e1NTSEF9TnkzOUx6aGZCRnQvOUIwQzZOeFIvcGtVcXRQWkZObXI=" directory "/var/lib/ldap" dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 index objectClass eq lastmod on checkpoint 512 30
####################################################################### # Specific Directives for database #2, of type 'other' (can be @BACKEND@ too): #database <other> #suffix "dc=debian,dc=org"
Tim Watts wrote:
Hi,
Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
does not return userPassword attributes (the -D is convenience, no auth is performed).
However,
ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
Does return userPassword - which is what I want. The UNIX domain socket is protected under a root directory mode 700 so only root can connect this way - ie, local root use has full unauthenticated access to ldap which is what I want, so that scripts may easily be run to maintain the LDAP database.
The -D is meaningless in both cases. You're clearly using SASL Binds (using Simple binds would require a -x) and SASL Binds always ignore the Bind DN.
On 21/06/12 13:48, Howard Chu wrote:
Tim Watts wrote:
Hi,
Wonderful - the slapd.conf (see end) with a slight re-arrangement, works!
ldapsearch -H ldap://localhost/ -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
does not return userPassword attributes (the -D is convenience, no auth is performed).
However,
ldapsearch -H ldapi:/// -D cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk -b dc=cch,dc=kcl,dc=ac,dc=uk
Does return userPassword - which is what I want. The UNIX domain socket is protected under a root directory mode 700 so only root can connect this way - ie, local root use has full unauthenticated access to ldap which is what I want, so that scripts may easily be run to maintain the LDAP database.
The -D is meaningless in both cases. You're clearly using SASL Binds (using Simple binds would require a -x) and SASL Binds always ignore the Bind DN.
Thanks Howard,
LDAP auth (esp SASL) is a mystery to me as of now - that's the next bit I will have to grok after getting the thing to dish up directories in the right way :)
openldap-technical@openldap.org
-
Frank Swasey -
Howard Chu -
Quanah Gibson-Mount -
Tim Watts