[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACL questions. Answered (long)

To: openldap-software@OpenLDAP.org
Subject: Re: ACL questions. Answered (long)
From: Diego Julian Remolina <dijuremo@math.gatech.edu>
Date: Wed, 10 Mar 2004 07:59:30 -0500 (EST)
In-reply-to: <Pine.GSO.4.58.0403081407110.18750@math209.math.gatech.edu>
References: <404CA729.7090207@campana.vi.it> <20040308173354.GA37753@leela.mars.de> <404CB6F4.60700@campana.vi.it> <Pine.GSO.4.58.0403081407110.18750@math209.math.gatech.edu>

Answer to myself and anybody that ever needs to do this:

The Goals:

1. Not use rootdn at all, Why? Because when you run scripts you need the
plaintext password to authenticate and I am really paranoid and do not
want anybody to know the password of my ldap database admin user.
Comment out the rootdn and rootpw entries in slapd.conf

2. Have a user uid=Ldaproot,dc=math,dc=gatech,dc=edu which also has a
kerberos principal and create a Keytab that has the ID/PASSWD pair.
Then any time you try to authenticate with this Ldaproot's credentials,
you will get a kerberos ticket using that keytab with the command:
kinit -v /path/to/Ldaproot.keytab
Then do any ldapadd/ldapdelete/ldapmodify with the -Y GSSAPI -U Ldaproot
options to perform gssapi auths.
Nobody will know the password of the user since it was generated
randomly in your kerberos server, and this will only work from the place
where you keep the keytab (PLEASE DO NOT PUT IT IN AN NFS MOUNTED
DIRECTORY, sorry for the yelling but I needed to make a point).
Once the script has ran then you simply use kdestroy to remove the ticket
for the Ldaproot user.

3. Have a user uid=Sambaroot,dc=math,dc=gatech,dc=edu which has write
access to all the required samba entries but not to the rest of the ldap
database, e.g:

-Write one entry in the root of you ldap directory:
	dn: sambaDomainName=GT-MATH-TEST,dc=math,dc=gatech,dc=edu

-Write to all samba attributes in
dn.children="ou=People,dc=math,dc=gatech,dc=edu"

-Write to some needed samba attributes in
dn.children="ou=Group,dc=math,dc=gatech,dc=edu"

-Write to all samba attributes in
dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"

-Not have access to delete entries (You can still disable a samba user,
but if you want to delete you need to delete the whole account using
Ldaproot).


TODO:
1- Find out how this ACLs affect performance.
2- Find any other problems trying to add/delete stuff.
3- Find any other way to list all attributes for samba instead of having
to add them all one at a time (not sure if this is possible yet).

Finally, here are the ACLs for the slapd.conf file:
(If you have any comments, suggestions, etc please e-mail back).

defaultaccess none

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth

access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
attrs=objectClass,sambaSID,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth break

access to dn.children="ou=Groups,dc=math,dc=gatech,dc=edu"
attrs=description,sambaSID,sambaGroupType,displayName,objectClass
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth break

access to dn.children="ou=Hosts,dc=math,dc=gatech,dc=edu"
attrs=objectClass,sambaSID,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth break

access to dn.children="ou=Idmap,dc=math,dc=gatech,dc=edu"
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth break

access to dn.regex="ou=(.+),dc=math,dc=gatech,dc=edu"
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" read
        by * auth break

access to dn.subtree="dc=math,dc=gatech,dc=edu"
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * auth break

access to *
        by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
        by * read

HTH somebody some day....

Diego

On Mon, 8 Mar 2004, Diego Julian Remolina wrote:

> Hi everyone,
>
> I would like to have 2 users with separate ACLs for openldap:
> uid=Ldaproot,dc=domain,dc=com  with full access to the database.
> uid=Sambaroot,dc=domain,dc=com with access only to samba entries which
> belong to the samba* attribute types and also to ou=Machines and ou=Idmap.
>
> I do not want to have a rootdn entry in slapd.conf.  The Ldaproot user
> will have a kerberos principal with an unknown password that will be
> stored in a keytab which will be used to perform gssapi auths whenever we
> need to add/remove information to ldap using some scripts.
>
> Since Sambaroot needs to have an entry in /etc/samba/secrets.tdb which is
> pretty much plaintext and since samba cannot use keytabs, I would like to
> provide the user uid=Sambaroot,dc=domain,dc=com with ACLs to be able to
> add one entry to the root of the ldap database:
>
> dn: sambaDomainName=GT-MATH-TEST,dc=math,dc=gatech,dc=edu
> objectClass: sambaDomain
> sambaDomainName: GT-MATH-TEST
> sambaSID: S-1-5-21-2135209786-3363987198-2266210874
> sambaAlgorithmicRidBase: 1000
>
> The information above changes with the domain name, so it is not like I
> can add it once as Ldaproot and then let Sambaroot modify it.
>
> How do I create an ACL to allow uid=Sambaroot to add such entry without
> giving full write access?
>
> I also need to allow Sambaroot to modify all attributetypes for samba.  Is
> there any other way to do this better than:
>
> access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attr=objectClass
> 	by * read
> ( I need to do the one above or the one below will block read acces to
> everything since objectClass is listed as an attribute).
>
> access to dn.one="ou=People,dc=math,dc=gatech,dc=edu" attrs=sambaSID,samba
> LMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,s
> ambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,sambaHo
> mePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaPrimaryGroupSI
> D,sambaDomainName,displayName,objectClass
> 	by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>
> Thanks,
>
> Diego
>
> ----------------------------------
> Diego Julian Remolina
> System Administrator
> School of Mathematics
> Georgia Institute of Technology
> ----------------------------------
>

Follow-Ups:
- RE: ACL questions. Answered (long)
  - From: "Howard Chu" <hyc@highlandsun.com>

References:
- problem with access control
  - From: Ottavio Campana <ottavio@campana.vi.it>
- Re: problem with access control
  - From: Ottavio Campana <ottavio@campana.vi.it>
- ACL questions.
  - From: Diego Julian Remolina <dijuremo@math.gatech.edu>

Prev by Date: Re: Back-Sql MySQL
Next by Date: Re: Problem with ACL and regex
Index(es):
- Chronological
- Thread