[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: memberOf search ACLs

On Sat, 2008-07-19 at 11:33 +0200, Pierangelo Masarati wrote:
> Andrew Bartlett wrote:
> > I've recently been trying to lock down Samba4's default ACLs, in it's
> > generated LDAP backend configuration.
> > 
> > I have memberOf configured to 'error' on dangling links, which I need
> > for Samba.  
> > 
> > But I seem to be having some trouble with ACLs.  I've attached my full
> > config file, but the key part is:
> > 
> > access to dn.base="" 
> >        by dn=cn=samba-admin,cn=samba manage
> >        by anonymous read
> >        by * read
> > 
> > access to dn.subtree="cn=samba"
> >        by anonymous auth
> > 
> > access to dn.subtree="${DOMAINDN}"
> >        by dn=cn=samba-admin,cn=samba manage
> >        by * none
> > 
> > If I change the last line to 'by * read', then the error is returned,
> > but otherwise (due apparently to "" being unable to read the entry to
> > validate it's existence).
> > 
> > Shouldn't the search operations happen as the rootdn or memberof-dn, or
> > am I missing some other configuration element here?
> Not sure I got the point, but what I'm sure about is that any check 
> about dangling links is done while writing.  The result of search 
> operations is based on what values the link contain, statically.  Apart 
> from this, yes, internal ops are performed using the rootdn, in order to 
> skip any issue related to access control.

OK, so it's not some missing configuration (I could not see how it would
be), but instead something else odd in that means that without the 'by *
read' I cannot get the dangling link validated.  

Hmm, I have the module loaded globally - perhaps I need a global rootdn
of some kind defined?

I have one per-database (now), but the documentation strongly encourages
one not to have a rootdn at all. 

Andrew Bartlett

Andrew Bartlett
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

Attachment: signature.asc
Description: This is a digitally signed message part