Hi,
I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)
I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.
The machine itself is considered secure.
Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.
How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?
================
On an aside - I've tried unauthenticated localhost access - but cannot get that to work. This would be less desirable as anyone with ssh access to the server would be abloe to bypass security - but I'm still curious to know what I did wrong.
My slapd.d entries are:
cat /etc/ldap/slapd.d/cn=config.ldif ======================================================================= dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: none olcPidFile: /var/run/slapd/slapd.pid olcToolThreads: 1 structuralObjectClass: olcGlobal entryUUID: 62952116-3777-1031-8e1b-bfeeb6e70114 creatorsName: cn=config createTimestamp: 20120521095922Z entryCSN: 20120521095922.839791Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20120521095922Z olcAllows: bind_anon_cred bind_anon_dn update_anon ### <<< Added this =======================================================================
cat /etc/ldap/slapd.d/cn=config/olcDatabase={1}hdb.ldif ======================================================================= dn: olcDatabase={1}hdb objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=cch,dc=kcl,dc=ac,dc=uk olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by peername.regex=127.0.0.1 manage ###<<< Added olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk olcRootPW:: e1NTSEF9TVFtdlA4Q2FJUjZqOEdpMytlcWd5Zk1BUWFjVmpGM1c= olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq structuralObjectClass: olcHdbConfig entryUUID: 62964ee2-3777-1031-8e25-bfeeb6e70114 creatorsName: cn=admin,cn=config createTimestamp: 20120521095922Z entryCSN: 20120521095922.847576Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20120521095922Z =======================================================================
Sorry this is a bit of a numpty question - I'm learning slapd - in a hurry(!)
Many thanks in advance :)
Tim
--On Monday, May 21, 2012 11:42 AM +0100 Tim Watts tw@dionic.net wrote:
Hi,
I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)
I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.
The machine itself is considered secure.
Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.
How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none
This says "self" can write to these attributes, regardless of origination This says "anonymous" can access these when authenticating This says the user "cn=admin..." can write to these attributes
olcAccess: {1}to dn.base="" by * read
This says anyone can read the base
olcAccess: {2}to * by peername.regex=127.0.0.1 manage ###<<< Added
This is garbage because you unnecessarily escaped the periods. Also, there is no need to use a regex, since you are being exact.
olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read
This ACL will never be evaluated because the ACL prior to this already references "*".
My *guess* at what you are trying to do above would be:
olcAccess: {2}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by peername.ip=127.0.0.1 manage by peername.ip=::1 manage by * read
However, this still isn't what you want, because that isn't restricting by domain socket. As noted in the slapd.access man page, if you want to limit by domain socket, you need to use the "path" prefix. I.e.
peername.path=/path/to/socket
for example:
peername.path="/var/run/ldapi"
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Hi Quanah,
On 22/05/12 03:26, Quanah Gibson-Mount wrote:
--On Monday, May 21, 2012 11:42 AM +0100 Tim Watts tw@dionic.net wrote:
Hi,
I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)
I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.
The machine itself is considered secure.
Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.
How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none
This says "self" can write to these attributes, regardless of origination This says "anonymous" can access these when authenticating This says the user "cn=admin..." can write to these attributes
olcAccess: {1}to dn.base="" by * read
This says anyone can read the base
olcAccess: {2}to * by peername.regex=127.0.0.1 manage ###<<< Added
This is garbage
I'd go as far as "complete bollocks" ;-> I do not yet have a feel for this style of ACL, so I'm not surprised...
because you unnecessarily escaped the periods.
Ah. I did that because it is a regex (thinking in perl).
Also, there is no need to use a regex, since you are being exact.
Yes - that does seem kind of obvious now you just said it :-o
olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read
This ACL will never be evaluated because the ACL prior to this already references "*".
Ah - I see...
My *guess* at what you are trying to do above would be:
olcAccess: {2}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by peername.ip=127.0.0.1 manage by peername.ip=::1 manage by * read
Cool - I'll try that.
However, this still isn't what you want, because that isn't restricting by domain socket. As noted in the slapd.access man page, if you want to limit by domain socket, you need to use the "path" prefix. I.e.
peername.path=/path/to/socket
for example:
peername.path="/var/run/ldapi"
Ah - I see - sorry, my bad for not reading properly...
Anyway - big thanks - you've helped me to get a sane starting point. Once I get the hang of how the basics work, I should be able to experiment and learn some more...
All the best,
Tim
On 22/05/12 03:26, Quanah Gibson-Mount wrote:
--On Monday, May 21, 2012 11:42 AM +0100 Tim Watts tw@dionic.net wrote:
Hi,
I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)
I'd like to have root@localhost be able to perform "manage" operations on the slapd on the localhost *only* - all other ACLs would be pretty standard.
The machine itself is considered secure.
Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by root.
How do you enable an "manage" ACL for the entire DN if and only if the access comes via the unix socket?
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none
This says "self" can write to these attributes, regardless of origination This says "anonymous" can access these when authenticating This says the user "cn=admin..." can write to these attributes
olcAccess: {1}to dn.base="" by * read
This says anyone can read the base
olcAccess: {2}to * by peername.regex=127.0.0.1 manage ###<<< Added
This is garbage because you unnecessarily escaped the periods. Also, there is no need to use a regex, since you are being exact.
olcAccess: {3}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read
This ACL will never be evaluated because the ACL prior to this already references "*".
My *guess* at what you are trying to do above would be:
olcAccess: {2}to * by self write by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by peername.ip=127.0.0.1 manage by peername.ip=::1 manage by * read
However, this still isn't what you want, because that isn't restricting by domain socket. As noted in the slapd.access man page, if you want to limit by domain socket, you need to use the "path" prefix. I.e.
peername.path=/path/to/socket
for example:
peername.path="/var/run/ldapi"
Hi Quanah,
Just to confirm, I combined your suggestions into
olcAccess: {2}to * by self write by dn="cn=admin,dc=dighum,dc=kcl,dc=ac,dc=uk" manage by peername.path="/var/run/ldap/ldapi" manage by * read
and did a chmod 750 /var/run/slapd (which is where the actual socket lives, being Debian, the /var/run/ldap/ldapi path above being a symlink to this.
Seems to work wonderfully - few more tests, but once again thanks for all your excellent help :)
Tim
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Tim Watts