--On Tuesday, June 06, 2017 5:32 PM +0000 Etan Weintraub eweintra@jhmi.edu wrote:
I now need to do the same type of thing for another branch, but for authentication instead (i.e. only allow auth to occur if coming from an approved IP). I've tried the following:
access to dn.sub="dc=mfa"
by peername.ip=127.0.0.1 auth by peername.ip=10.181.24.193 auth by * noneBut no luck. Any ideas/help? If I can't do this with an ACL, if I can get the IP address of the request passed in to the bind function in the Perl backend, I can handle the controls there.
That's not really what "auth" access means. Are you using simple binds? If so, I'd try something like:
access to dn.sub="dc=mfa" attrs=userPassword by peername.ip=127.0.0.1 anonymous auth by peername.ip=10.181.24.193 anonymous auth by <admin> write
access to dn.sub="dc=mfa" by users read
Now this makes some assumptions: a) Users auth against an entry in the dc=mfa tree, and b) that users only exist in that tree.
Alternatively, you may wish to look at set based ACLs to set it so that only entries that exist /in/ the dc=mfa tree can read entries in the dc=mfa tree, combined with the IP restrictions.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
So, the only place I have bind defined in the Perl Backend is the one on dc=mfa, there is nothing else that can bind anywhere. I don't want anything to be able to do anything other than a straight LDAP bind to the dc=mfa branch, they don't even do a search against it, just straight connect, bind, disconnect.
The solution you gave below doesn't seem to work either, as no error code is returned.
If I could somehow get the originating IP address passed in to Perl, I could have it check that and return error code 53 or something similar, but right now, it's passing everything into Perl, regardless of the IP address, and authenticating the user.
-Etan E. Weintraub Information Security Architect IT@Johns Hopkins Johns Hopkins at Mt. Washington 5801 Smith Ave. Davis Building Suite 3110B Baltimore, MD 21209 Phone: 667-208-6309 E-mail: eweintra@jhmi.edu
-----Original Message----- From: Quanah Gibson-Mount [mailto:quanah@symas.com] Sent: Tuesday, June 6, 2017 2:37 PM To: Etan Weintraub eweintra@jhmi.edu; 'openldap-technical@openldap.org' openldap-technical@openldap.org Subject: Re: Attempting to set Access Control for auth to Perl Backend
--On Tuesday, June 06, 2017 5:32 PM +0000 Etan Weintraub eweintra@jhmi.edu wrote:
I now need to do the same type of thing for another branch, but for authentication instead (i.e. only allow auth to occur if coming from an approved IP). I've tried the following:
access to dn.sub="dc=mfa"
by peername.ip=127.0.0.1 auth by peername.ip=10.181.24.193 auth by * noneBut no luck. Any ideas/help? If I can't do this with an ACL, if I can get the IP address of the request passed in to the bind function in the Perl backend, I can handle the controls there.
That's not really what "auth" access means. Are you using simple binds? If so, I'd try something like:
access to dn.sub="dc=mfa" attrs=userPassword by peername.ip=127.0.0.1 anonymous auth by peername.ip=10.181.24.193 anonymous auth by <admin> write
access to dn.sub="dc=mfa" by users read
Now this makes some assumptions: a) Users auth against an entry in the dc=mfa tree, and b) that users only exist in that tree.
Alternatively, you may wish to look at set based ACLs to set it so that only entries that exist /in/ the dc=mfa tree can read entries in the dc=mfa tree, combined with the IP restrictions.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Etan Weintraub wrote:
So, the only place I have bind defined in the Perl Backend is the one on dc=mfa, there is nothing else that can bind anywhere. I don't want anything to be able to do anything other than a straight LDAP bind to the dc=mfa branch, they don't even do a search against it, just straight connect, bind, disconnect.
Your search base dc=mfa and your requirement to only accept a bind sounds a bit like you're trying to implement multi-factor authc. If yes, do you really have to stick to Perl?
Ciao, Michael.
openldap-technical@openldap.org
-
Etan Weintraub -
Michael Ströder -
Quanah Gibson-Mount