[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Can domain admins be filtered out with ACLs?

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: Can domain admins be filtered out with ACLs?
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Thu, 16 Apr 2015 20:28:26 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=tTuB9AOAya3hUewtiQeAVs6KlCRdUiA8DK99c9SsIF8=; b=NNYHrSbCGoq6omnzcDo+ITjPpwC1jV79sCwXhTXDG/VQH+fs1PbKcAmlx3rpYtIaxh 214j3O4uTf3g+ME5tBp3Ios5A9fzFB19TOhiNX6r7Ub4vbYuV2uhGWr8fq2mdUqjekbm HMfKb6G33VW0IvxezJ9nTHiEfyBOLMDyClLJ/oy+uT0WIIsnQcEmPRzNifjHSulVZFjh YCu44nNRrNtgtfh7xektndqsAzrSd/rSztC58cdoVv/prsyOm7x7hJzSTneL+tw2KNsZ on8iJFogQmr60G0ZtSbwwZTwk35sdU43iQkopYYmZG2S9D/KSru5tNBLCrLtNvxN6g9Q BP0w==
In-reply-to: <CAA1SNA25iD8CjFDDcCeikiXLfseCgwv06x4kGTW3NmXbtPvs0w@mail.gmail.com>
References: <CAA1SNA25iD8CjFDDcCeikiXLfseCgwv06x4kGTW3NmXbtPvs0w@mail.gmail.com>

Hi,

For those, for mind find this thread through google and like me
overwhelmed with information won't understand the documentation.
The RootDN cannot be restricted from having privileges under OpenLDAP
2.4. Hence, ACLs won't do anything for RootDN. This is documented.

Someone, elsewhere pointed this out for me.

Sincerely,

Igor Shmukler

On Wed, Apr 15, 2015 at 5:41 PM, Igor Shmukler <igor.shmukler@gmail.com> wrote:
> Hello,
>
> I tried to filter out everyone except cn=config when my ACL filter
> rule is true (a NAME type attribute matches a value), so that password
> authentication for filtered-out users would fail.
> It works for regular users, and does not for admins. Is this because
> my ACL rules are wrong, or is this a feature of OpenLDAP? Why no
> matter what I do
>
> My LDIF is below:
>
> dn: olcDatabase={2}hdb,cn=config
> changetype: modify
> replace: olcAccess
> olcAccess: {0}to attrs=userPassword,shadowLastChange
>   filter=(serviceLevel=suspended)
>   by dn="cn=config" write
>   by * none
> olcAccess: {1}to attrs=userPassword,shadowLastChange
>   filter=(!(serviceLevel=suspended))
>   by self write
>   by anonymous auth
>   by dn="cn=admin,dc=directory,dc=com" write
>   by dn="cn=config" write
>   by * none
> olcAccess: {2}to dn.base="" by * read
> olcAccess: {3}to *
>   filter=(serviceLevel=suspended)
>   by dn="cn=config" write
>   by * none
> olcAccess: {4}to *
>   filter=(!(serviceLevel=suspended))
>   by self write
>   by dn="cn=admin,dc=directory,dc=com" write
>   by dn="cn=config" write
>   by * read
>
> Is there something special about LDAP administrator, by design?
>
> Thank you,
>
> Igor Shmukler

Follow-Ups:
- Re: Can domain admins be filtered out with ACLs?
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

References:
- Can domain admins be filtered out with ACLs?
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: how to check user lock status
Next by Date: Re: Can domain admins be filtered out with ACLs?
Index(es):
- Chronological
- Thread