[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Content-Based Access Control?

To: Howard Chu <hyc@symas.com>
Subject: Re: Content-Based Access Control?
From: Frank Rust <frust@iti.cs.tu-bs.de>
Date: Mon, 29 Nov 2010 12:28:51 +0100
Cc: openldap-technical <openldap-technical@openldap.org>
In-reply-to: <4CEFB196.6010107@symas.com>
References: <1290756625.3735.16.camel@viator.rust.local> <4CEFB196.6010107@symas.com>

I did read, but slapd does it the wrong way.
My slapd.conf does contain following:

# forbid writing to userPassword for entries starting with {SASL}
access to attrs=userPassword val.regex="SASL}.*"
        by * auth stop

# allow writing to ldapclient and self, otherwise only auth
access to attrs=userPassword,userPKCS12,sambaNTPassword,sambaLMPassword
        by dn="cn=ldapclient,dc=mydomain,dc=de" write
        by self write
        by * auth

What I expect is that an entry with an existing userPasswd of
'{SASL}something' will not be writable by any user.

What I get is that the ldapclient and 'self' can write new userPasword
if the content of the *NEW* password does not contain {SASL}.

I don't understand how to get it working in my way.



Protocol: 
---------

Database has following entries (shortened):

dn: uid=frust,ou=People,dc=mydomain,dc=de
userPassword:: geheim

dn: uid=someone,ou=People,dc=mydomain,dc=de
userPassword:: {SASL}someone


Now try to change entries:

ldapmodify -x  -v -D 'cn=ldapclient,dc=mydomain,dc=de' -W  
dn: uid=someone,ou=People,dc=mydomain,dc=de
changetype: modify
replace: userPassword
userPassword: newpass
-

Enter LDAP Password: 
replace userPassword:
	newpass
modifying entry "uid=someone,ou=People,dc=mydomain,dc=de"
modify complete


ldapmodify -x  -v -D 'cn=ldapclient,dc=mydomain,dc=de' -W  
dn: uid=frust,ou=People,dc=mydomain,dc=de
changetype: modify
replace: userPassword
userPassword: {SASL}abc
-

Enter LDAP Password: 
replace userPassword:
	{SASL}abc
modifying entry "uid=frust,ou=People,dc=mydomain,dc=de"
ldap_modify: Insufficient access (50)





Am Freitag, den 26.11.2010, 05:09 -0800 schrieb Howard Chu:
> Frank Rust wrote:
> > Hi all,
> >
> > would it be possible to configure a content-based access control?
> 
> Yes. Read the slapd.access(5) manpage.
> 
> > I have following configuration: my ldap contains user data.
> > Some of the users are local ones and have a regular password entry.
> > They shall be able to change their password.
> > Other users are remotely authenticated with saslauthd.
> > They shall not be able to change their 'password' which is just a
> > redirection.
>

References:
- Content-Based Access Control?
  - From: Frank Rust <frust@iti.cs.tu-bs.de>
- Re: Content-Based Access Control?
  - From: Howard Chu <hyc@symas.com>

Prev by Date: push replication with proxy and rwm overlay
Next by Date: Re: Want interesting restrictions to ldap auth on different servers to different users
Index(es):
- Chronological
- Thread