[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: New guy needs some help choosing an overlay

To: Jonathan Knight <j.knight@kis.keele.ac.uk>
Subject: Re: New guy needs some help choosing an overlay
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 04 Mar 2009 19:38:51 +0100
Cc: openldap-software@openldap.org
In-reply-to: <49AE9AA8.7000203@kis.keele.ac.uk>
References: <497D86AF.8020004@kis.keele.ac.uk> <Pine.SOC.4.64.0901261143160.2853@toolbox.rutgers.edu> <49AE9AA8.7000203@kis.keele.ac.uk>
User-agent: Thunderbird 2.0.0.17 (X11/20081001)

Jonathan Knight wrote:

Aaron Richton wrote:

I think you're making this harder than it needs to be, or at least in a
way that I find less intuitive.


Many thanks for your help Aaron.  I went down the ACL route but chose a
slightly different method.

What I did was to use the "relay" backend to duplicate the
dc=people,dc=kdir,dc=keele,dc=ac,dc=uk tree and then apply an ACL as you
suggested to block access to the relay tree if the attribute wasn't set.

i.e.

access to dn.children="dc=webct,dc=kdir,dc=keele,dc=keele,dc=ac,dc=uk"
  filter="(kdirVle=no)"
  by * =rcsd

access to * by * read

with the aim of blocking the auth bit (x) if the flag was set to "no".
That way the broken client could find the user, but would not be able to
authenticate.  I expected that would give a better error message or
"authentication failed" rather than "user unknown".

This didn't work - I could bind as a user in that subtree with the flag
set to false with no trouble at all.

I started slapd with debug set for the ACL's to see where I'd gone wrong
and although there are a lot of calls to acl_mask, acl_get and so on
after the bind, the bind itself doesn't seem to call any acl's at all.

So I wonder if I've missed something.  Should I see calls to acl's in
the bind call?

It's hard to tell without seeing your whole configuration. Auth (by simple bind) uses ACLs. In detail, it needs auth access to userPassword. The ACL you show above should indeed prevent auth; however, everybody would see the userPassword of everybody under that tree (=r). If this doesn't actually happen, then there must be an earlier

access to attrs=userPassword by * auth

that intercepts auth requests, thus defeating your rule.

Something along the lines

access to dn.children="dc=example,dc=com"
                filter="(yourmagicfilter)"
                attrs=userPassword
        by * none

access to dn.children="dc=example,dc=com"
                filter="(yourmagicfilter)"
        by * =rcsd

access to attrs=userPassword
        by * auth

access to * by * read

In any case, I don't quite understand why you need back-relay; is it because you also need to fake the naming context? Or because you want "smart" applications to have regular privileges? Otherwise ACLs for your real database would just suffice.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- Re: New guy needs some help choosing an overlay
  - From: Jonathan Knight <j.knight@kis.keele.ac.uk>

References:
- Re: New guy needs some help choosing an overlay
  - From: Jonathan Knight <j.knight@kis.keele.ac.uk>

Prev by Date: Re: New guy needs some help choosing an overlay
Next by Date: RE24 (2.4.15) slapd consuming large amounts of CPU
Index(es):
- Chronological
- Thread