[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Retrieving userPassword via back-meta

To: "Dave Horsfall" <daveh@ci.com.au>
Subject: Re: Retrieving userPassword via back-meta
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Wed, 15 Mar 2006 12:20:00 +0100 (CET)
Cc: "OpenLDAP Software List" <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <20060313112809.J14564@mippet.ci.com.au>
References: <20060313112809.J14564@mippet.ci.com.au>
User-agent: SquirrelMail/1.4.3a-1

To summarize: you're saying that the "pseudorootdn" stuff no longer works
in back-meta as of 2.3.20, correct?  It may well be possible, as that area
saw a lot of development recently.  I suggest you file an ITS; can you
design a very simple, self-contained example that shows the issue, just to
ease tracking the issue?  A one-target meta with as little ACL as possible
should be fine.

p.

> We generate /etc/passwd files from LDAP (no, I don't know why we simply
> don't authenticate via LDAP) and so need read access to userPassword.
>
> Using the ACL:
>
> access to attrs=userPassword
>         by self =wx
>         by dn.regex="^uid=.*,ou=CIAdmin,dc=..,dc=cordoors,dc=dev$" =w
>         by anonymous auth
>
> ensures they are unreadable for all except rootDN.
>
> 2.2.26 slapd.conf:
>
> uri     "ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView"
> rewriteEngine   on
> rewriteContext  default
> rewriteRule     "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=com" ":"
> rebind-as-user
> binddn  "cn=Manager,dc=au,dc=cordoors,dc=com"
> bindpw  "XXX"
>
> 2.3.20 slapd,conf:
>
> uri     "ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView"
> rewriteEngine   on
> rewriteContext  default
> rewriteRule     "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=dev" ":"
> rebind-as-user  true
> acl-authcDN     "cn=Manager,dc=au,dc=cordoors,dc=dev"
> acl-passwd      "XXX"
> pseudorootdn    "cn=Manager,dc=au,dc=cordoors,dc=dev"
> pseudorootpw    "XXX"
>
> Search request:
>
> ldapsearch -W -b "dc=AdminView" -H "ldap://mippet"; -D
> "cn=Manager,dc=au,dc=cordoors,dc=dev"
> "(&(objectClass=ciEmployee)(uid=susanc))" uid userpassword
> Enter LDAP Password: XXX
>
> Result:
>
> # susanc, stmarys, NSW, au.cordoors.dev
> dn: uid=susanc,ou=stmarys,ou=NSW,dc=au,dc=cordoors,dc=dev
> uid: susanc
>
> slapd.log:
>
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 fd=58 ACCEPT from
> IP=192.168.1.1:1949 (IP=0.0.0.0:389)
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 BIND
> dn="cn=Manager,dc=au,dc=cordoors,dc=dev" method=128
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 BIND
> dn="cn=Manager,dc=au,dc=cordoors,dc=dev" mech=SIMPLE ssf=0
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=0 RESULT tag=97 err=0 text=
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SRCH base="dc=AdminView"
> scope=2 deref=0 filter="(&(objectClass=ciEmployee)(uid=susanc))"
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SRCH attr=uid userpassword
> Mar 13 10:48:14 mippet slapd[8508]: conn=7 fd=60 ACCEPT from
> PATH=/var/run/openldap/ldapi (PATH=/var/run/openldap/ldapi)
> Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=0 BIND dn="" method=128
> Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=0 RESULT tag=97 err=0 text=
> Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SRCH
> base="dc=au,dc=cordoors,dc=dev" scope=2 deref=0
> filter="(&(objectClass=ciEmployee)(uid=susanc))"
> Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SRCH attr=uid userpassword
> Mar 13 10:48:14 mippet slapd[8508]: conn=7 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=1 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 op=2 UNBIND
> Mar 13 10:48:14 mippet slapd[8508]: conn=6 fd=58 closed
>
> This tells me two things: the rebind is performed anonymously, and no
> apparent attempt is made to use "acl-authcDN" etc for an ACL check.  I
> longer have access to a 2.2.26 system, and the logs have long since
> rotated.
>
> I'm fairly sure this used to work with 2.2.26 according to our staff, so
> perhaps something got tightened up in 2.3.20?
>
> It's no big deal, as I can always retrieve the DN then repeat the search
> with that DN as the base.
>
> --
> Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9552-5509 (d) -5500
> (sw)
> Corinthian Engrng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont
> 2009, AU
>




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

Follow-Ups:
- Re: Retrieving userPassword via back-meta
  - From: Dave Horsfall <daveh@ci.com.au>
- Re: Retrieving userPassword via back-meta
  - From: Dave Horsfall <daveh@ci.com.au>

References:
- Retrieving userPassword via back-meta
  - From: Dave Horsfall <daveh@ci.com.au>

Prev by Date: Re: Access control in slapd.conf
Next by Date: Re: Retrieving userPassword via back-meta
Index(es):
- Chronological
- Thread