Re: Trying to figure out access policies

[Jason Lixfeld <jason+lists.openldap@lixfeld.ca>]

Between Roy and Kurt's replies, I think I have enough information to  
go forward.

It is now very apparent to me that I went off-topic by including  
portions of an ldap.conf that had nss configuration directives in  
it.  I apologize for going off-topic -- I did not do so intentionally.

On 27-Jun-06, at 2:32 PM, Roy Ledochowski wrote:

> Jason--
>
> I'm not quite certain what you're trying to do, but if it's setup  
> nss_ldap and pam_ldap to use a proxy user for those libraries.   
> nss_ldap & pam_ldap are the client libraries which Linux (dunno  
> about FreeBSD & other PC *nix use) uses for LDAP user  
> authentication & authorization.  These libraries use /etc/ldap.conf  
> (on Redhat) and /etc/libnss-ldap.conf & /etc/libpam.conf (on  
> Debian).  nss_ldap & pam_ldap use /etc/ldap.secret for rootbinddn's  
> pwd.  These files are configured at build time.
>
> That being said, the openLDAP client libraries  & binaries such as  
> ldapsearch, ldappasswd, etc, also use ldap.conf, but it's a  
> *different file*.  On Redhat it's in /etc/openldap.  On Debian it's  
> in /etc/ldap.  Point is, you have to configure the right one for  
> the right task.  openLDAP does not use /etc/ldap.secret.
>
> Your ACL needs a bit of help:
> access to attrs=userPassword
>        by dn="cn=Proxyuser,dc=example,dc=ca" read
>
> -->you also need at least  "by * auth".  There is an implied "by *  
> none" at the end of each access directive.
>
> Rootbinddn is how nss_ldap will bind to do "root" operations.  This  
> functions pretty much like passwd & group.  Users can read but root 
> (=proxy) can edit.  Binddn if I remember right is for proxy users  
> if you do not allow anonymous binds.
>
> For your ldapsearch, I notice that you are trying to bind as your  
> proxy user but did not includ a password or server to bind to it  
> probably failed probably because
> A) your ldap.conf wasn't configured correctly (no URL or HOST  
> directive.  This is the default server to bind to)
> B) you didn't include a passwd (-w or -W)
> C)  If you are not using SASL (ie only simple binds), you need the - 
> x switch.
>
> Hope that helps,
> roy
>
>
>
>
> Jason Lixfeld <jason+lists.openldap@lixfeld.ca>
> Sent by: owner-openldap-software@OpenLDAP.org
> 06/27/2006 09:38 AM
>
> To
> OpenLDAP software list <openldap-software@OpenLDAP.org>
> cc
> Subject
> Trying to figure out access policies
>
>
>
>
>
> I think I'm somewhat versed in the basics of OpenLDAP, but the
> concept of access policies eludes me because they are far beyond my
> current level of comprehension.  That being said, I'm doing some
> trial by fire to try to make sense of how they work and hopefully
> will then be able to relate some of what I read in the manual to what
> I've made happen in tests...
>
> I'm trying to get a proxyuser working so I don't have to do
> everything as Manager.
>
> I put this entry into my slapd.conf as per some tutorials I read:
>
> access to attrs=userPassword
>        by dn="cn=Proxyuser,dc=example,dc=ca" read
>
> and likewise, these entries into my ldap.conf:
>
> binddn cn=Proxyuser,dc=example,dc=ca
> bindpw ****
> rootbinddn cn=Proxyuser,dc=example,dc=ca
>
> and finally, the Proxyuser password in /etc/ldap.secret.
>
> Being unsure if the lookups for ldap.conf and ldap.secret is in /etc
> or /usr/local/etc (Using a FreeBSD system here), I symlinked each so
> they are available in both locations.
>
> After that was all said and done, I restarted slapd and tried to do a
> search using the proxyuser as the binddn:
>
> # ldapsearch -D "cn=Proxyuser,dc=example,dc=ca" -b
> 'ou=auth,dc=example,dc=ca' -W '(uid=jlixfeld.example.ca)' userPassword
> Enter LDAP Password:
> ldap_bind: Invalid credentials (49)
>
> # all.log
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 ACCEPT from
> IP=127.0.0.1:54632 (IP=0.0.0.0:389)
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 BIND
> dn="cn=Proxyuser,dc=example,dc=ca" method=128
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 op=0 RESULT tag=97 err=49
> text=
> Jun 27 12:26:21 ricky slapd[47474]: conn=20 fd=10 closed (connection
> lost)
>
> It would seem to me that it's not complaining about the password, so
> I assume it's complaining about the access entry in slapd.conf.  I
> removed the access entry from slapd.conf and was able to perform the
> same search as above without a problem.
>
> Anyone have any pointers on what I can look at as the source of this
> problem?
>
> Also, I'm a little confused about the difference between binddn and
> rootbinddn.  If I understand correctly, rootbinddn is the DN used to
> bind if the user executing the command is root, while binddn is the
> DN used to bind if the user executing the command is any user other
> than root.  Is this correct?  I ask because if I run ldapsearch as
> root with no additional arguments and check the logs, it seems to
> bind anonymously so I'm not sure if my understanding of binddn vs.
> rootbinddn is correct:
>
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 ACCEPT from
> IP=127.0.0.1:58244 (IP=0.0.0.0:389)
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 BIND dn="" method=128
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=0 RESULT tag=97 err=0
> text=
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SRCH base="" scope=2
> deref=0 filter="(objectClass=*)"
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=1 SEARCH RESULT tag=101
> err=32 nentries=0 text=
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 op=2 UNBIND
> Jun 27 12:34:36 ricky slapd[47604]: conn=3 fd=10 closed
>
> Thanks in advance for any insight on either or both of these points...