[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Required changes in 2.4.7 regarding ACLs when using authz-regexp?

To: openldap-software@openldap.org
Subject: Re: Required changes in 2.4.7 regarding ACLs when using authz-regexp?
From: Michael Ströder <michael@stroeder.com>
Date: Thu, 28 Feb 2008 16:41:11 +0100
In-reply-to: <47A38BE7.6030706@suretecsystems.com>
References: <479A07B2.70807@stroeder.com> <47A38BE7.6030706@suretecsystems.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.12) Gecko/20080201 SeaMonkey/1.1.8

Gavin Henry wrote:

Michael Ströder wrote:
I tried to migrate an existing server from 2.3.39 to 2.4.7 (or also CVS RE24). I'm making use of authz-regexp to map user entries when they do a SASL Bind with DIGEST-MD5. Also some ACLs are in effect. This together used to work on 2.3.x with the existing ACLs.

With 2.4.7 this worked no longer. The user wasn't found. In the ACL debug log I've noticed that access to the search root database entry (suffix) is requested. When I explicitly grant auth access to this entry it works. But why is that needed? Was this an intended change?
Can you paste them?

I've prepared a simplified slapd.conf and a LDIF file (both attached) for this particular migration issue.

Take note of this:

authz-regexp
  "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
  "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"
[..]
access to
    dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
    by * auth


See test of recent RE23 (port 2003) vs. recent RE24 (port 2004):

----------------------------- snip ----------------------------- $ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2003"; -Y DIGEST-MD5 -w testsecret SASL/DIGEST-MD5 authentication started SASL username: michael SASL SSF: 128 SASL data security layer installed. dn:uid=michael,ou=users,ou=authz-test,dc=stroeder,dc=local $ /opt/openldap-RE24/bin/ldapwhoami -H "ldap://localhost:2004"; -Y DIGEST-MD5 -w testsecret SASL/DIGEST-MD5 authentication started ldap_sasl_interactive_bind_s: Invalid credentials (49) m ----------------------------- snip -----------------------------

If I grant auth access to the database root entry ou=authz-test,dc=stroeder,dc=local it works (see comment of this particular ACL in attached slapd.conf). With RE23 it also works without this ACL!

Ciao, Michael.

dn: ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: authz-test

dn: ou=Users,ou=authz-test,dc=stroeder,dc=local
objectClass: organizationalUnit
ou: Users

dn: uid=michael,ou=Users,ou=authz-test,dc=stroeder,dc=local
uid: michael
objectClass: account
objectClass: simpleSecurityObject
userpassword: testsecret

include		/opt/openldap-RE24/etc/openldap/schema/core.schema
include		/opt/openldap-RE24/etc/openldap/schema/cosine.schema

# Define global ACLs to disable default read access.

pidfile		/home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.pid
argsfile	/home/michael/temp/openldap-authzto-testbed/RE24/run/slapd-1.args

modulepath	/opt/openldap-RE24/libexec/openldap

moduleload	back_hdb.la

authz-regexp
  "uid=([a-zA-Z0-9]+),cn=digest-md5,cn=auth"
  "ldap:///ou=authz-test,dc=stroeder,dc=local??sub?(uid=$1)"

database	hdb

suffix		"ou=authz-test,dc=stroeder,dc=local"
directory	/home/michael/temp/openldap-authzto-testbed/RE24/data

# Index-Konfiguration
index objectClass,uid		eq

sizelimit	-1

# User entries
# ------------------------

access
    to dn.onelevel="ou=Users,ou=authz-test,dc=stroeder,dc=local"
    by * auth

# Why the hell is this ACL needed for SASL Bind with authz-regexp with OpenLDAP 2.4?
access to dn.base="ou=authz-test,dc=stroeder,dc=local"
    by * auth

References:
- Re: Required changes in 2.4.7 regarding ACLs when using authz-regexp?
  - From: Gavin Henry <ghenry@suretecsystems.com>

Prev by Date: Re: Access Control issues
Next by Date: add local entries to a master database.
Index(es):
- Chronological
- Thread