Hello all,
Since there is some time, I figured I rectify our openldap configuration and use proper ACLs.
We are using the following version on Solaris 10:
[xxxx:/opt/csw/libexec]$ ./slapd -V
@(#) $OpenLDAP: slapd 2.3.39 (Feb 22 2008 18:51:52) $
asmoore@ra
Our user subtree is organized as shown below:
o=suffix
ou=people,o=suffix
uid=kdz,ou=people,o=suffix
uid=hyc,ou=people,o=suffix
ou=removed_accounts,ou=people,o=suffix
uid=abcd,ou=removed_accounts,ou=people,o=suffix
uid=efgh,ou=removed_accounts,ou=people,o=suffix
Basically, I want a getent passwd not to list entries below ou=removed_accounts,ou=people,o=suffix, for a client application still considers the removed accounts as users (it probably searches the whole subtree).
I read the documentation for 2.3:
http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control http://www.openldap.org/doc/admin23/slapdconfig.html
And found this:
The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN).
So, I figured that an ACL (no global ACLs any longer) like this
access to dn.one="ou=People,o=suffix" by * write
Should hide the removed accounts and only show the active ones.
But it does not, it still contains all the children of
ou=removed_accounts,ou=people,o=suffix
And of
ou=people,o=suffix
Using dn.base="ou=People,o=suffix" by * write
Works as expected and getent passwd not return any ldap users, solely the /etc/passwd users.
The client system in question is a Solaris 10 machine, I have kept the client configuration unchanged for the tests so far:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= 127.0.0.1
NS_LDAP_SEARCH_BASEDN= o=suffix
NS_LDAP_SEARCH_TIME= 90
NS_LDAP_CACHETTL= 0
There are only two other ACLs in place:
1. access to dn.one="ou=Group,o=siemensmedical.com" by * write
This one works fine, getent group returns all the groups it should return and the changes can be done as well.
2. access to dn.subtree="ou=Roles,o=siemensmedical.com" by * write
This one works fine as well, it returns the role structure as requested and changes work as well.
Where am I making a mistake?
Best regards,
Claus
"Kick, Claus" claus.kick@siemens.com writes:
Hello all,
Since there is some time, I figured I rectify our openldap configuration and use proper ACLs.
We are using the following version on Solaris 10:
[...]
Our user subtree is organized as shown below:
o=suffix
ou=people,o=suffix
uid=kdz,ou=people,o=suffix
uid=hyc,ou=people,o=suffix
ou=removed_accounts,ou=people,o=suffix
uid=abcd,ou=removed_accounts,ou=people,o=suffix
uid=efgh,ou=removed_accounts,ou=people,o=suffix
Basically, I want a getent passwd not to list entries below ou=removed_accounts,ou=people,o=suffix, for a client application still considers the removed accounts as users (it probably searches the whole subtree).
I read the documentation for 2.3:
http://www.openldap.org/doc/admin23/slapdconfig.html#Access%20Control http://www.openldap.org/doc/admin23/slapdconfig.html
And found this:
The scope can be either base, one, subtree, or children. Where base matches only the entry with provided DN, one matches the entries whose parent is the provided DN, subtree matches all entries in the subtree whose root is the provided DN, and children matches all entries under the DN (but not the entry named by the DN).
So, I figured that an ACL (no global ACLs any longer) like this
access to dn.one="ou=People,o=suffix" by * write
Should hide the removed accounts and only show the active ones.
But it does not, it still contains all the children of
ou=removed_accounts,ou=people,o=suffix
And of
ou=people,o=suffix
Using dn.base="ou=People,o=suffix" by * write Where am I making a mistake?
access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none access to dn.one=ou=people,o=suffix by * write
-Dieter
Hello,
Where am I making a mistake?
access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none access to dn.one=ou=people,o=suffix by * write
Ok, that works like a charm! Follow-up question (this probably shows I don't know much about ACLs):
Why do I need to limit the scope via another ACL if I have one in place which itself should already limit the scope of a search on a subtree?
Cheers, Claus
"Kick, Claus" claus.kick@siemens.com writes:
Hello,
Where am I making a mistake?
access to dn.subtree=ou=removed_accounts,ou=people,o=suffix by none access to dn.one=ou=people,o=suffix by * write
Ok, that works like a charm! Follow-up question (this probably shows I don't know much about ACLs):
Why do I need to limit the scope via another ACL if I have one in place which itself should already limit the scope of a search on a subtree?
The principal design of acl is base on ordering of a rule set, beginning from a rule protecting the smallest item, like an attribute, to the largest tree item, like the whole tree. You may run slapd in debugging mode ACL in order to watch the parsing of the access rules, at least it gave me an understanding of the design of access rules.
-Dieter
openldap-technical@openldap.org
-
Dieter Kluenter -
Kick, Claus