Hi,
Sorry - this is probably very basic, but I cannot get my head around how to write an ACL that prevents "auth" unless the user's employeeType attribute is in a particular list (or NOT in a shorter list).
I have a slapd config line:
constraint_attribute employeeType regex ^(Staff|External|MA|PhD|Intern|System|Archive|Delete)$
However, I'd like to limit the ability to bind (auth) to those users whose employeeType is NOT [regex ^(Archive|Delete)$]
or, less preferable, IS Staff|External|MA|PhD|Intern|System
At the moment I apply the constrain in pam-ldap, but that's not terribly elegant and of course does not work if apache2's mod_authnz_ldap checks directly with the LDAP server.
Many thanks for pointers :)
Tim
PS
Current ACLs are fairly simple:
access to dn.base="" by * read
access to attrs=userPassword by peername.path="/var/run/slapd/ldapi" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage by self write by * auth
# Certain attributes that should not be publically readable access to attrs=bindTimestamp,modifyTimestamp,modifiersName,creatorsName,c reateTimestamp by peername.path="/var/run/slapd/ldapi" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage by self read by * none
--On Monday, April 11, 2016 12:02 AM +0100 Tim Watts tim.j.watts@kcl.ac.uk wrote:
access to attrs=userPassword by peername.path="/var/run/slapd/ldapi" manage by set="user/uid & [cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage by self write by * auth
You might be able to work something out using filter=... and access to userpasswd that way?
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
Tim Watts wrote:
Sorry - this is probably very basic, but I cannot get my head around how to write an ACL that prevents "auth" unless the user's employeeType attribute is in a particular list (or NOT in a shorter list).
I have a slapd config line:
constraint_attribute employeeType regex ^(Staff|External|MA|PhD|Intern|System|Archive|Delete)$
However, I'd like to limit the ability to bind (auth) to those users whose employeeType is NOT [regex ^(Archive|Delete)$]
# some entries matching filter access to attrs=userPassword filter=(!(employeeType=Archive)(employeeType=Delete)) by ..some who clauses for setting password by * auth
# all other entries access to attrs=userPassword by * none
The second ACL is important!
Current ACLs are fairly simple:
access to dn.base="" by * read
access to attrs=userPassword by peername.path="/var/run/slapd/ldapi" manage
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This is somewhat dangerous because it gives any process which has write access to the LDAPI socket *manage* rights. I'd recommend not to do that. Rather use authz-regexp mappings to explicitly map certain OS accounts to real LDAP entries.
by set="user/uid &[cn=sysadmin,ou=groups,dc=dighum,dc=kcl,dc=ac,dc=uk]/memberUid" manage
Set-ACLs are slow. I'd recommend to use groupOfNames entries to achieve this.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Quanah Gibson-Mount -
Tim Watts