OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Documentation/5400
Full headers

From: michael@stroeder.com
Subject: authz-regexp migration issue: ACLs of 2.3 no longer work with 2.4.8
Compose comment
Download message
State:
0 replies:
2 followups: 1 2

Major security issue: yes  no

Notes:

Notification:


Date: Sat, 1 Mar 2008 10:48:29 GMT
From: michael@stroeder.com
To: openldap-its@OpenLDAP.org
Subject: authz-regexp migration issue: ACLs of 2.3 no longer work with 2.4.8
Full_Name: Michael Str.der
Version: 2.4.8
OS: 
URL: ftp://ftp.openldap.org/incoming/
Submission from: (NULL) (84.163.75.104)


A configuration using authz-regexp fully functional with appropriate ACLs was
working in RE23 but does not work in 2.4.8 anymore.

http://www.openldap.org/lists/openldap-software/200802/msg00373.html

More to follow...


Followup 1

Download message
Date: Sat, 01 Mar 2008 11:50:51 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#5400) authz-regexp migration issue: ACLs of 2.3 no longer
 work with 2.4.8
This is a multi-part message in MIME format.
--------------080909030908010602050105
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 8bit

Follow-up on openldap-software repeated here...

Gavin Henry wrote:
> Michael Str.der wrote:
>>
>> I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also 
>> CVS RE24). I'm making use of authz-regexp to map user entries when 
>> they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. 
>> This together used to work on 2.3.x with the existing ACLs.
>>
>> With 2.4.7 this worked no longer. The user wasn't found. In the ACL 
>> debug log I've noticed that access to the search root database entry 
>> (suffix) is requested. When I explicitly grant auth access to this 
>> entry it works. But why is that needed? Was this an intended change?
> 
> Can you paste them?

I've prepared a simplified slapd.conf and a LDIF file (both
attached) for this particular migration issue.

Take note of this:

authz-regexp
    "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
    "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
[..]
access to
      dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
      by * auth


See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):

----------------------------- snip -----------------------------
$ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2003" -Y
DIGEST-MD5 -w testsecret
SASL/DIGEST-MD5 authentication started
SASL username: michael
SASL SSF: 128
SASL data security layer installed.
dn:uid=michael,ou=users,ou=authz-test,dc=stroeder,dc=local
$ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2004" -Y
DIGEST-MD5 -w testsecret
SASL/DIGEST-MD5 authentication started
ldap_sasl_interactive_bind_s: Invalid credentials (49)
m
----------------------------- snip -----------------------------

If I grant auth access to the database root entry
ou=authz-test,dc=stroeder,dc=local it works (see comment of this
particular ACL in attached slapd.conf). With RE23 it also works
without this ACL!

Ciao, Michael.

--------------080909030908010602050105
Content-Type: text/x-ldif;
 name="initialload.ldif"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="initialload.ldif"

dn: ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: authz-test

dn: ou=Users,ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: Users

dn: uid=michael,ou=Users,ou=authz-test,dc=stroeder,dc=local
uid: michael
objectClass: account
objectClass: simpleSecurityObject
userpassword: testsecret



--------------080909030908010602050105
Content-Type: text/plain;
 name="slapd.conf"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="slapd.conf"

include		/opt/openldap-RE24/etc/openldap/schema/core.schema
include		/opt/openldap-RE24/etc/openldap/schema/cosine.schema

# Define global ACLs to disable default read access.

pidfile		/home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.pid
argsfile	/home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.args

modulepath	/opt/openldap-RE24/libexec/openldap

moduleload	back_hdb.la

authz-regexp
  "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
  "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"

database	hdb

suffix		"ou=authz-test,dc=stroeder,dc=local"
directory	/home/michael/temp/openldap-authzto-testbed/RE24/data

# Index-Konfiguration
index objectClass,uid		eq

sizelimit	-1

# User entries
# ------------------------

access
    to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
    by * auth

# Why the hell is this ACL needed for SASL Bind with authz-regexp with OpenLDAP
2.4?
access to dn.base="ou=authz-test,dc=stroeder,dc=local"
    by * auth


--------------080909030908010602050105--



Followup 2

Download message
Date: Sat, 01 Mar 2008 15:55:38 +0100
From: Pierangelo Masarati <ando@sys-net.it>
To: michael@stroeder.com
CC: openldap-its@openldap.org
Subject: Re: (ITS#5400) authz-regexp migration issue: ACLs of 2.3 no longer
 work with 2.4.8
michael@stroeder.com wrote:

> Take note of this:
> 
> authz-regexp
>     "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
>     "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
> [..]
> access to
>       dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
>       by * auth
> 
> 
> See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):

As indicated in OpenLDAP 2.4's man page, now the LDA search operation
requires "search" privileges on the "entry" pseudo-attribute of the
searchBase.  This was introduced to be able to honor the "disclose"
privilege (or, at least, in conjunction with code that is used to honore
the "disclose" privilege).  The man page is erroneous in stating that
this requirement and that feature were introduced in OpenLDAP 2.3: the
code is indeed present in OpenLDAP 2.3, but actually #ifdef'd; it only
became the default behavior in OpenLDAP 2.4.

This requirement, as usual, is downgraded to "auth" when performing
authc/authz related lookups.

I'd take this ITS as a request to fix the documentation (indicate the
change since 2.4 and not since 2.3) and to better notify the different
behavior since 2.3.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------



Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org