Hello list,
I'm just learning about access control.
I want to setup my clients to manage its posixAccounts and posixGroups over the ldap Directory. With the default access rights it's working. Clients are looking anonymous at the directory for the group, e.g. at boot time or on user login. Syslog shows me:
~$ sudo egrep "slapd[.*]: conn=1186" /var/log/syslog slapd[2340]: conn=1186 fd=13 ACCEPT from IP=192.168.1.64:35566 (IP=0.0.0.0:389) slapd[2340]: conn=1186 op=0 BIND dn="" method=128 slapd[2340]: conn=1186 op=0 RESULT tag=97 err=0 text= slapd[2340]: conn=1186 op=1 SRCH base="dc=hoeft-online,dc=de" scope=2 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=1002))" slapd[2340]: conn=1186 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber slapd[2340]: conn=1186 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2340]: conn=1186 fd=13 closed (connection lost) ~$
slapd ACCEPT a connection from the client, BIND to anonymous with simple method (BIND dn="" method=128) and searches with filter="(&(objectClass=posixGroup)(gidNumber=1002))" with SEARCH RESULT success (err=0 nentries=1).
testing it with: ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))" dn: cn=gemeinsam,ou=groups,ou=home,dc=hoeft-online,dc=de cn: gemeinsam gidNumber: 1002 objectClass: top objectClass: posixGroup memberUid: ingo memberUid: uschi ~$
Now I try to restrict anonymous read only to posixGroup and posixAccount because I don't want anonymous reading other Entries. I modified the default access control to this:
olcAccess: to filter= "(| (objectClass=posixAccount) (objectClass=posixGroup))" by anonymous read olcAccess: to * by self write by dn=<admin> write by * none
now I get: ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))" No such object (32) ~$
It works with: olcAccess: to filter="(objectClass=*)" by anonymous read
or
olcAccess: to filter="(objectClass=top)" by anonymous read
What I'm misunderstanding here?
And yes, I have read slapd.access three times but do not really understand everything til now.
kind regards Ingo
I've got a step forward. My problem has something to do with access to parent entries.
to summarize it:
with: olcAccess: to filter= "(| (objectClass=posixAccount) (objectClass=posixGroup))" by anonymous read
I get: ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))" No such object (32) ~$
with: olcAccess: to dn.sub="" by anonymous search
I get: ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))" ~$ No retürn message means the object was found.
But how can I set anonymous to read posixAccounts or posixGroups and restrict its parents only to search?
olcAccess: to dn.sub="" by anonymous search break olcAccess: to filter= "(| (objectClass=posixAccount) (objectClass=posixGroup))" by anonymous read
does not work (No such object (32)). Any ideas?
Ingo
On 2013-07-02 13:57, Ingo wrote:
Hello list,
I'm just learning about access control.
I want to setup my clients to manage its posixAccounts and posixGroups over the ldap Directory. With the default access rights it's working. Clients are looking anonymous at the directory for the group, e.g. at boot time or on user login. Syslog shows me:
~$ sudo egrep "slapd[.*]: conn=1186" /var/log/syslog slapd[2340]: conn=1186 fd=13 ACCEPT from IP=192.168.1.64:35566 (IP=0.0.0.0:389) slapd[2340]: conn=1186 op=0 BIND dn="" method=128 slapd[2340]: conn=1186 op=0 RESULT tag=97 err=0 text= slapd[2340]: conn=1186 op=1 SRCH base="dc=hoeft-online,dc=de" scope=2 deref=0 filter="(&(objectClass=posixGroup)(gidNumber=1002))" slapd[2340]: conn=1186 op=1 SRCH attr=cn userPassword memberUid uniqueMember gidNumber slapd[2340]: conn=1186 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2340]: conn=1186 fd=13 closed (connection lost) ~$
slapd ACCEPT a connection from the client, BIND to anonymous with simple method (BIND dn="" method=128) and searches with filter="(&(objectClass=posixGroup)(gidNumber=1002))" with SEARCH RESULT success (err=0 nentries=1).
testing it with: ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))" dn: cn=gemeinsam,ou=groups,ou=home,dc=hoeft-online,dc=de cn: gemeinsam gidNumber: 1002 objectClass: top objectClass: posixGroup memberUid: ingo memberUid: uschi ~$
Now I try to restrict anonymous read only to posixGroup and posixAccount because I don't want anonymous reading other Entries. I modified the default access control to this:
olcAccess: to filter= "(| (objectClass=posixAccount) (objectClass=posixGroup))" by anonymous read olcAccess: to * by self write by dn=<admin> write by * none
now I get: ~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))" No such object (32) ~$
It works with: olcAccess: to filter="(objectClass=*)" by anonymous read
or
olcAccess: to filter="(objectClass=top)" by anonymous read
What I'm misunderstanding here?
And yes, I have read slapd.access three times but do not really understand everything til now.
kind regards Ingo
openldap-technical@openldap.org