[Date Prev][Date Next] [Chronological] [Thread] [Top]

slapd sasl auxprop plugin and minimum ssf, different sasl ssf per host


I use openldap 2.1.11.

First I write what I want:

storing userPassword as plaintext in ldap in the userPassword attrib.
using the internal slapd sasl auxprop plugin
This works. Many thanks.
Allow few privilegized host to bind with sasl and simple bind with
ssf=0. Any other clients must use sasl bind with min_ssf=56 ,and simple
bind with min_ssf=128. (I only say 56 and 128 because these are greather
than 0)

1./ First problem is, that slapd auxprop plugin can't read the
userPassword attrib if it has any ssf with value greather than 0.

see the following example acl:

access to attribute=userPassword
        by dn="uid=ldapadmin,ou=People,dc=my_domain" write
        by peername="IP=127\.0\.0\.1:*" anonymous auth
        by peername="IP=192\.168\.1\.1:*" anonymous auth
        by ssf=56 anonymous auth
        by * none

Any request come form or can use e.g the
DIGEST-MD5 sasl mech., but e.g cant (even with tls) because
slapd seems always use ssf=0 for lookup the userPassword.

balsa@$ ldapsearch -U balsa -Y DIGEST-MD5 -ZZ uid=balsa

slapd[2659]: <= check a_dn_pat: anonymous 
slapd[2659]: <= check a_authz.sai_ssf: ACL 56 > OP 0 
slapd[2659]: <= check a_dn_pat: self 
slapd[2659]: <= check a_dn_pat: * 
slapd[2659]: <= acl_mask: [7] applying none(=n) (stop) 
slapd[2659]: <= acl_mask: [7] mask: none(=n) 
slapd[2659]: => access_allowed: auth access denied by none(=n)

So I can't specify sec. policy in ACL-s for simple bind.

2./ Second problem. How can I specify required sasl ssf per host?

3./ Maybe workaround: using two slapd with different config contians the
following options:
security simple_bind=128
sasl-secprops   minssf=56


security simple_bind=0
sasl-secprops   minssf=0

and dont use the acl for security policy.

What is the elegant sollution, or I must run two slapd with different
config? Can I run two slapd on the same db4 database?