[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Chain overlay and ACLs
Noob question:
I've set up chaining from my slave LDAP to the master. It seemed
everything was working fine, until I realize that ANY user can now make
modifications in the LDAP DB if it is done from the slave.
My ALCs allow full write access to the chain binddn. If I don't set
this, chaining fails. But with it set, any valid, authenticated user
can make DB changes (full write access).
I am confused as to why this is happening.
Info is below.
Thanks in advance,
John
Version:
openldap-2.3.43
ACLs on master (and slave):
# Who has access to read or change the password attribute
access to attrs=userPassword,shadowLastChange
by self write
by dn.base="cn=tooladmin,o=partner_x,dc=example,dc=net" write
by
group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write
by
group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read
by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
by anonymous auth
by * none
# Keep partners out of mycompany db
access to dn.sub="o=mycompany,dc=example,dc=net"
by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
by dn.sub="o=partner_x,dc=example,dc=net" none
by anonymous none
by * none
# Allow the tool access to add and modify ToolAccessLevel, etc
access to
filter="(|(objectClass=DiagnosticsPerson)(objectClass=ToolsAccess))"
by dn.base="cn=tooladmin,o=partner_x,dc=example,dc=net" write
by
group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write
by
group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read
by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
by anonymous none
by * read
# Finally, allow the main LDAP users access to everything else
access to *
by
group.exact="cn=admin_partner_x,o=partner_x,dc=example,dc=net" write
by
group.exact="cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net" read
by group.exact="cn=administrators,o=mycompany,dc=example,dc=net"
write
by
group.exact="cn=administrators_RO,o=mycompany,dc=example,dc=net" read
by anonymous none
by * read
And the LDIFs:
# admin_partner_x, partner_x, example.net
dn: cn=admin_partner_x,o=partner_x,dc=example,dc=net
cn: admin_partner_x
objectClass: groupOfNames
description: Group of Admins with full access
member: cn=ldapChain,o=partner_x,dc=example,dc=net
member: cn=ldapEditor,o=partner_x,dc=example,dc=net
# admin_partner_x_RO, partner_x, example.net
dn: cn=admin_partner_x_RO,o=partner_x,dc=example,dc=net
cn: admin_partner_x_RO
objectClass: groupOfNames
description: Group of Admins with readonly access
member: cn=simpleBind,o=partner_x,dc=example,dc=net
member: cn=syncRepl,o=partner_x,dc=example,dc=net
# tooladmin, partner_x, example.net
dn: cn=tooladmin,o=partner_x,dc=example,dc=net
sn: tooladmin
cn: tooladmin
userPassword:: dG9vbGFkbWlu
description: To allow access for tools. Per ACLs, this guy has write
access to passwords and tool levels
objectClass: person
# jkane2, people, partner_x, example.net
dn: uid=jkane2,ou=people,o=partner_x,dc=example,dc=net
objectClass: person
objectClass: posixAccount
objectClass: DiagnosticsPerson
objectClass: ToolsAccess
cn: jkane2
loginShell: /bin/bash
uidNumber: 3805
uid: jkane2
homeDirectory: /jkane2
sn: jkane2
gidNumber: 950
ToolAccessLevel: subinfo
ToolDomain: example.net
DiagAccessLevel: DIAG_USER_T1
DiagGroup: partner_x
userPassword:: xxxxxxxxxxx
From the master, using some arbitrary user:
[jkane2@master]$ ldapadd -x -D
'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' -W <<EOF
> dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net
> uid: testauserC
> description: asdf
> objectClass: account
> objectClass: simpleSecurityObject
> userPassword: testauser
> EOF
Enter LDAP Password:
adding new entry
"uid=testauserC,ou=people,o=partner_x,dc=example,dc=net"
ldapadd: Insufficient access (50)
additional info: no write access to parent
From the slave:
[jkane2@slave]$ ldapadd -x -D
'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' -W <<EOF
> dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net
> uid: testauserC
> description: asdf
> objectClass: account
> objectClass: simpleSecurityObject
> userPassword: testauser
> EOF
Enter LDAP Password:
adding new entry
"uid=testauserC,ou=people,o=partner_x,dc=example,dc=net"
[jkane2@slave]$ ldapsearch -x -D
'uid=jkane2,ou=people,o=partner_x,dc=example,dc=net' uid=testauserC -W
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <> with scope subtree
# filter: uid=testauserC
# requesting: ALL
#
# testauserC, people, partner_x, example.net
dn: uid=testauserC,ou=people,o=partner_x,dc=example,dc=net
uid: testauserC
description: asdf
objectClass: account
objectClass: simpleSecurityObject
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
This message is confidential to Prodea Systems, Inc unless otherwise indicated
or apparent from its nature. This message is directed to the intended recipient
only, who may be readily determined by the sender of this message and its
contents. If the reader of this message is not the intended recipient, or an
employee or agent responsible for delivering this message to the intended
recipient:(a)any dissemination or copying of this message is strictly
prohibited; and(b)immediately notify the sender by return message and destroy
any copies of this message in any form(electronic, paper or otherwise) that you
have.The delivery of this message and its information is neither intended to be
nor constitutes a disclosure or waiver of any trade secrets, intellectual
property, attorney work product, or attorney-client communications. The
authority of the individual sending this message to legally bind Prodea Systems
is neither apparent nor implied,and must be independently verified.