olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
...
olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs= by ssf=64 dn.exact="yyyy" read by * break olcAccess: {8} to dn.subtree="xxxxxx" by ssf=256 dn.exact="yyyy" search by ssf=256 self read by anonymous
is there not a syntax or so for attrs=-userPassword
Or am I approaching this incorrectly?
--On Sunday, August 27, 2023 5:21 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read
The above 2 acls generally go on the frontend DB.
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
...
olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs= by ssf=64 dn.exact="yyyy" read by * break olcAccess: {8} to dn.subtree="xxxxxx" by ssf=256 dn.exact="yyyy" search by ssf=256 self read by anonymous
The rest of these acls generally go on the MDB database. Have you configured your backend ACLs incorrectly?
What exactly is the issue you're trying to report? Your subject doesn't really give a solid indication of what the problem is you're having.
--Quanah
olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read
The above 2 acls generally go on the frontend DB.
hmmm, I have everything on {-1}frontend
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
...
olcAccess: {7} to dn.subtree="xxxxxx" filter=(objectClass=posixAccount) attrs= by ssf=64 dn.exact="yyyy" read by * break olcAccess: {8} to dn.subtree="xxxxxx" by ssf=256 dn.exact="yyyy" search by ssf=256 self read by anonymous
The rest of these acls generally go on the MDB database. Have you configured your backend ACLs incorrectly?
What exactly is the issue you're trying to report? Your subject doesn't really give a solid indication of what the problem is you're having.
yyyy is getting the userPassword hash, which I do not want it to have. Of course I can list 50 attributes which it can have. But it would be nicer if I could just exclude an attribute.
On 8/27/23 19:01, Marc wrote:
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
I think the problem is this rule. You specify 'by * none break', which means that evaluation is not stopped if this rule does not match. Because of that, the later rules for user 'yyyy' do match and 'yyyy' can read the 'userPassword' attribute.
You would have to specify a separate rule for 'userPassword' without 'break', something like this:
olcAccess: {1} to attrs=userPassword by self read by anonymous auth
2
On 8/27/23 19:01, Marc wrote:
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
I think the problem is this rule. You specify 'by * none break', which means that evaluation is not stopped if this rule does not match. Because of that, the later rules for user 'yyyy' do match and 'yyyy' can read the 'userPassword' attribute.
You would have to specify a separate rule for 'userPassword' without 'break', something like this:
olcAccess: {1} to attrs=userPassword by self read by anonymous auth
Well done Souji! Thanks that seems to be working better, and I can remove these redundant read - search combinations!
--On Sunday, August 27, 2023 9:20 PM +0000 Marc Marc@f1-outsourcing.eu wrote:
On 8/27/23 19:01, Marc wrote:
olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break
I think the problem is this rule. You specify 'by * none break', which means that evaluation is not stopped if this rule does not match. Because of that, the later rules for user 'yyyy' do match and 'yyyy' can read the 'userPassword' attribute.
You would have to specify a separate rule for 'userPassword' without 'break', something like this:
olcAccess: {1} to attrs=userPassword by self read by anonymous auth
Well done Souji! Thanks that seems to be working better, and I can remove these redundant read - search combinations!
Yes, two things to keep in mind:
a) "by * none" is implicit in every ACL statement b) Adding "break" to it means that the rest of the ACLs continue processing.
As for the frontend ACL bit, I strongly advise only having those first 2 ACLs present there, otherwise they apply to every database on the server. It's better to locate ACLs in the databases they are meant for.
Examples:
dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to dn.base="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword by self write by anonymous auth olcAccess: {1}to * by self write by sockurl.exact="^ldapi:///$" write by users read
dn: olcDatabase={2}monitor,cn=config olcAccess: {0}to * by * read
etc.
--Quanah
openldap-technical@openldap.org
-
Marc -
Quanah Gibson-Mount -
Souji Thenria