[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OLC permissions - general beginner question

Stefan Bauer <sb@plzk.de> writes:

> I only have the cn=config DIT available.

(You actually have cn=monitor, too.)

> dn: olcDatabase={0}config,cn=config
> olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
> [...]
> so it looks like only UID=0 (root) should be able to interoperate with
> the directory. However all local users can connect but do not have
> access to cn=config (this is expected).
> [user@host ~]$ ldapsearch -Y EXTERNAL -H ldapi:/// -b 'cn=config'
> [...]
> search: 2
> result: 32 No such object
> So why am i even able to logon and state a query?

You do not "logon", you use external authentication, which means there's
no separate BIND step, like with simple bind (-x) for example.  External
authenication is not done by slapd (hence its name; it's done by the
kernel in the above case), thus slapd can't fail it.  The only LDAP
operation it sees is a search, and the authenticated DN
(gidNumber=X+uidNumber=Y,...) is not authorized for that, so the result
is "No such object".  As ACLs belong to target objects, they are not
suitable for forcing server disconnection as soon as the authenticated
DN is known.  Maybe LDAP doesn't even allow such behaviour.