RE: ACL questions. Answered (long)

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Diego Julian
Remolina

> Answer to myself and anybody that ever needs to do this:
>
> The Goals:
>
> 1. Not use rootdn at all, Why? Because when you run scripts
> you need the
> plaintext password to authenticate and I am really paranoid and do not
> want anybody to know the password of my ldap database admin user.
> Comment out the rootdn and rootpw entries in slapd.conf

No, you don't *need* the plaintext password, that's just the most common way
to use it.

> 2. Have a user uid=Ldaproot,dc=math,dc=gatech,dc=edu which also has a
> kerberos principal and create a Keytab that has the ID/PASSWD pair.
> Then any time you try to authenticate with this Ldaproot's
> credentials,
> you will get a kerberos ticket using that keytab with the command:
> kinit -v /path/to/Ldaproot.keytab
> Then do any ldapadd/ldapdelete/ldapmodify with the -Y GSSAPI
> -U Ldaproot
> options to perform gssapi auths.

This technique will still work for the rootdn if you have a sasl-regexp rule
to map the SASL authentication ID into the rootdn. Obviously you need a
sasl-regexp rule anyway, to identify your uid=Ldaproot entry.

> TODO:
> 1- Find out how this ACLs affect performance.
> 2- Find any other problems trying to add/delete stuff.
> 3- Find any other way to list all attributes for samba
> instead of having
> to add them all one at a time (not sure if this is possible yet).
>
> Finally, here are the ACLs for the slapd.conf file:
> (If you have any comments, suggestions, etc please e-mail back).
>
> defaultaccess none
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>         by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * auth

The OpenLDAP server doesn't know anything special about sambaLMPassword or
sambaNTPassword; it will never use Auth access on these attributes. Including
them here is pointless.

> access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
> attrs=objectClass,sambaSID,sambaLMPassword,sambaNTPassword,sam
> baPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,s
> ambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName
> ,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePat
> h,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,s
> ambaMungedDial
>         by dn="uid=Ldaproot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by dn="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write
>         by * auth break

None of these attributes are used by slapd during authentication. Again, "by
* auth" is pointless. The use of "break" here is also unnecessary. The same
applies to all the subsequent clauses.

Note that slapd allows objectClass names to be used as a shorthand for all of
the attributes in the class. Your ACL could just read
	access to dn.children="ou=People,dc=math,dc=gatech,dc=edu"
	  attrs=objectClass,sambaSamAccount
	  by dn.exact="uid=Sambaroot,ou=People,dc=math,dc=gatech,dc=edu" write

(The Ldaproot would be subsumed by using the rootdn; no rootpw is needed if
you use SASL.)

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support