Dear colleagues,
There's a question I posted on ServerFault (https://serverfault.com/questions/1088252/a-very-simple-olcaccess-rule-doesn...), but it seems that asking my question in this mailing list would be a better idea/
So, long story short, I have a domain (let's call it `dc=example,dc=org`) .
The domain has a branch (`ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
There's a simpleSecurityObject in this domain (`uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
I need the uid=admin,*** user to have full (manage) access to the ou=users,*** branch, so I added the following olcAccess record: `to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"`.
It has added to the default set of rules: ``` dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none olcAccess: {3}to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc= infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" manage ```
But something seems to be wrong. When I run `ldapsearch -D uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org -W -b ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`, I get the following result: ``` # extended LDIF # # LDAPv3 # base <ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL #
# search result search: 2 result: 32 No such object
# numResponses: 1 command terminated with exit code 32 ```
The object is actually available and `cn=admin,dc=example,dc=org` can see it without any difficulties, so it seems that my access rule is wrong. But what exactly it is?
It seems that the default rule #2 (`{2} to * by self read by dn="cn=admin,dc=example,dc=org" write by * none`) fires up earlier than the rule I added. Does that mean that I should always add my custom rules before it?
And why does this rule has `by * none`? Doesn't it contradict the OpenLDAP documentation? "The default access control policy is allow read by all clients" (https://www.openldap.org/doc/admin24/access-control.html).
Thank you in advance.
With best regards, V.Melnyk
It seems that rule #2 (I mean this one: `to * by self read by dn="cn=admin,dc=example,dc=org" write by * none`) isn't "default" at all.
I've just found another instance of OpenLDAP (I deployed it about 4 years ago). This instance (2.4.40) doesn't have such rule at all. It seems that it has not been added by OpenLDAP itself, it rather has been added manually by someone or something else. Am I right? Doesn't OpenLDAP have such rule by default?
------ Original Message ------ From: "Volodymyr Melnyk" v.melnyk@tucha.ua To: openldap-technical@openldap.org Sent: 27.12.2021 11:16:22 Subject: A very simple olcAccess rule doesn't work
Dear colleagues,
There's a question I posted on ServerFault (https://serverfault.com/questions/1088252/a-very-simple-olcaccess-rule-doesn...), but it seems that asking my question in this mailing list would be a better idea/
So, long story short, I have a domain (let's call it `dc=example,dc=org`) .
The domain has a branch (`ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
There's a simpleSecurityObject in this domain (`uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`).
I need the uid=admin,*** user to have full (manage) access to the ou=users,*** branch, so I added the following olcAccess record: `to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org"`.
It has added to the default set of rules:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by dn="cn=a dmin,dc=example,dc=org" write by anonymous auth by * none olcAccess: {2}to * by self read by dn="cn=admin,dc=example,dc=org" write by * none olcAccess: {3}to dn.subtree="ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc= infra,dc=example,dc=org" by dn.exact="uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org" manageBut something seems to be wrong. When I run `ldapsearch -D uid=admin,ou=managers,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org -W -b ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org`, I get the following result:
# extended LDIF # # LDAPv3 # base <ou=users,ou=ftp,ou=services,dc=k9999,dc=z9999,dc=infra,dc=example,dc=org> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 command terminated with exit code 32The object is actually available and `cn=admin,dc=example,dc=org` can see it without any difficulties, so it seems that my access rule is wrong. But what exactly it is?
It seems that the default rule #2 (`{2} to * by self read by dn="cn=admin,dc=example,dc=org" write by * none`) fires up earlier than the rule I added. Does that mean that I should always add my custom rules before it?
And why does this rule has `by * none`? Doesn't it contradict the OpenLDAP documentation? "The default access control policy is allow read by all clients" (https://www.openldap.org/doc/admin24/access-control.html).
Thank you in advance.
With best regards, V.Melnyk
--On Monday, December 27, 2021 9:16 AM +0000 Volodymyr Melnyk v.melnyk@tucha.ua wrote:
And why does this rule has `by * none`? Doesn't it contradict the OpenLDAP documentation? "The default access control policy is allow read by all clients" (https://www.openldap.org/doc/admin24/access-control.html).
You missed section 8.2.4. Access Control Evaluation, which specifically elaborates on this:
"If there are no access directives applicable to a backend, then a default read is used."
You clearly have access rules defined, so none of the above applies.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Volodymyr Melnyk