Hi,
I am using OLC and ACL's to limit response from LDAP based on IP address, and this is working fine if I have a single ACL. When I add a second ACL, with a different IP address, the new ACL works, but the previous one does not.
Example: Entries in LDAP:
# 10.0.0.92, servers, test.com dn: cn=10.0.0.92,ou=servers,dc=test,dc=com objectClass: groupOfNames cn: 10.0.0.92 description: Allowed access member: uid=aaa,dc=test,dc=com
# 10.0.0.94, servers, test.com dn: cn=10.0.0.94,ou=servers,dc=test,dc=com objectClass: groupOfNames cn: 10.0.0.94 description: Allowed access member: uid=aaa,dc=test,dc=com
# aaa, test.com dn: uid=aaa,dc=test,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: ldapPublicKey objectClass: shadowAccount uid: aaa uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/aaa loginShell: /usr/local/bin/bash mail: a@test.com ou: users cn: User A sn: A userPassword:: xxx
OLC entries:
# {1}ldif, config dn: olcDatabase={1}ldif,cn=config objectClass: olcLdifConfig olcDatabase: {1}ldif olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za /parts/new/instances/test/openldap-data olcSuffix: dc=test,dc=com olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.92" read by * none olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none olcRootDN: cn=Manager,dc=test,dc=com olcRootPW: test
At this point, running ldapsearch from the computer with ip address 10.0.0.92 works correctly, and only the filtered results are returned. If I then add a second ACL:
# {1}ldif, config dn: olcDatabase={1}ldif,cn=config objectClass: olcLdifConfig olcDatabase: {1}ldif olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za /parts/new/instances/test/openldap-data olcSuffix: dc=test,dc=com olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.94" read by * none olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.92" read by * none olcAccess: {2}to * by self write by peername.ip="127.0.0.1" write by * none olcRootDN: cn=Manager,dc=test,dc=com olcRootPW: test
The computer with IP 10.0.0.94 can now query LDAP, and receives the correct filtered results, however the computer with IP 10.0.0.92 receives a blank result:
$ ldapsearch -x -h 10.0.0.91 -b dc=test,dc=com # extended LDIF # # LDAPv3 # base <dc=test,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Is this the way that ACLs work in openldap? Or have I missed a configuration setting somewhere?
Thanks /Cole
On 29 March 2016 at 18:41, Cole cole@opteqint.net wrote:
Hi,
I am using OLC and ACL's to limit response from LDAP based on IP address, and this is working fine if I have a single ACL. When I add a second ACL, with a different IP address, the new ACL works, but the previous one does not.
Example: Entries in LDAP:
# 10.0.0.92, servers, test.com dn: cn=10.0.0.92,ou=servers,dc=test,dc=com objectClass: groupOfNames cn: 10.0.0.92 description: Allowed access member: uid=aaa,dc=test,dc=com
# 10.0.0.94, servers, test.com dn: cn=10.0.0.94,ou=servers,dc=test,dc=com objectClass: groupOfNames cn: 10.0.0.94 description: Allowed access member: uid=aaa,dc=test,dc=com
# aaa, test.com dn: uid=aaa,dc=test,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: ldapPublicKey objectClass: shadowAccount uid: aaa uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/aaa loginShell: /usr/local/bin/bash mail: a@test.com ou: users cn: User A sn: A userPassword:: xxx
OLC entries:
# {1}ldif, config dn: olcDatabase={1}ldif,cn=config objectClass: olcLdifConfig olcDatabase: {1}ldif olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za /parts/new/instances/test/openldap-data olcSuffix: dc=test,dc=com olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.92" read by * none olcAccess: {1}to * by self write by peername.ip="127.0.0.1" write by * none olcRootDN: cn=Manager,dc=test,dc=com olcRootPW: test
At this point, running ldapsearch from the computer with ip address 10.0.0.92 works correctly, and only the filtered results are returned. If I then add a second ACL:
# {1}ldif, config dn: olcDatabase={1}ldif,cn=config objectClass: olcLdifConfig olcDatabase: {1}ldif olcDbDirectory: /var/pq/0/mount/resolve/installations/entities/vmi/location/za /parts/new/instances/test/openldap-data olcSuffix: dc=test,dc=com olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.94" read by * none olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.92" read by * none olcAccess: {2}to * by self write by peername.ip="127.0.0.1" write by * none olcRootDN: cn=Manager,dc=test,dc=com olcRootPW: test
The computer with IP 10.0.0.94 can now query LDAP, and receives the correct filtered results, however the computer with IP 10.0.0.92 receives a blank result:
$ ldapsearch -x -h 10.0.0.91 -b dc=test,dc=com # extended LDIF # # LDAPv3 # base <dc=test,dc=com> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Is this the way that ACLs work in openldap? Or have I missed a configuration setting somewhere?
Thanks /Cole
Hi,
I have managed to solve this myself. I misunderstood the documentation, and have subsequently realised that I needed to change the ACL rules to the following:
olcAccess: {0}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.94, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.94" read by * break olcAccess: {1}to filter=(|(&(objectClass=inetOrgPerson)(memberOf=cn=10.0.0.92, ou=servers,dc=test,dc=com))(objectClass=posixGroup)) by self read by peername .ip="10.0.0.92" read by * break
Sorry for the trouble.
Regards /Cole
openldap-technical@openldap.org