[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can I do this with OpenLDAP acls?

To: <sjsobol@JustThe.net>
Subject: Re: Can I do this with OpenLDAP acls?
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 14 Apr 2004 18:24:58 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <407D635C.6040206@JustThe.net>
References: <407D5316.80408@JustThe.net> <57931.131.175.154.56.1081956925.squirrel@webmail.sys-net.it> <407D635C.6040206@JustThe.net>

> Pierangelo Masarati wrote:
>> Pal, your ACLs are screwed wild.  Anonymous can READ the password, and
>> everything else, but bound users have limited privileges!
>
> Ouch. I didn't even realize I'd set things up that way until you
> pointed it out. The ACLs are now as follows:
>
> access to attr=userPassword
>          by self write
>          by * auth
>
> access to *
>          by anonymous read
>          by self read

This is really weird again, because you're giving read access to anonymous
and self, but not to bound users.  This is not something one would usually
do.  Of course to let pam_ldap work correclty without being bound you need
to give read access to anonymous, but then I don't really see the need to
deny read to bound users.  Leave read access to everybody, e.g.

access to *
         by * read

Otherwise, pam_ldap provides means to access the DSA as an authenticated
administrative user, but this is slightly off topic here, better check
pam_ldap docs.

>
> (in the second entry, the anonymous line is required for pam_ldap
> and nss_ldap to work correctly).
>
> cn=Manager,dc=justthe,dc=net is, as you correctly guessed, the
> rootdn.
>
>> To answer your question, you may give read permission to "users",
>
> I don't think that'll work. For any account where the masterAccount
> attribute equals "sjsobol", for example, I should be able to get access
> if I bind as uid=sjsobol,ou=users,dc=justthe,dc=net. If
> masterAccount=ando, I should be able to get access if I bind as
> uid=ando, etc.

Then you need an ACL with the "filter" form; see the docs for
its usage; in any case it looks like

access to filter="masterAccount=sjsobol"
    by dn.exact="uid=sjsobol,ou=users,dc=justthe,dc=net" read

>
> I'm going to go look at the FAQ again, though...

If you need to make it value-dependent, you may want to read
the bits of info in the FAQ about sets.  They're barely mentioned
there, and there's nothing in the manuals.  Basically, AFAIR, who
implemented them didn't find the time to document them, and
someone else took over the burden by writing a FAQ; when I wrote
slapd.access(5) I hadn't time to look at them so I simply set them
apart for better times, which never came.  I'm pretty sure they
allow you to do what you need, anyway.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- Can I do this with OpenLDAP acls?
  - From: Steve Sobol <sjsobol@JustThe.net>
- Re: Can I do this with OpenLDAP acls?
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Can I do this with OpenLDAP acls?
  - From: Steve Sobol <sjsobol@JustThe.net>

Prev by Date: Re: Can I do this with OpenLDAP acls?
Next by Date: Re: Antwort: MAC OS X clients and OpenLDAP [Virus checked]
Index(es):
- Chronological
- Thread