[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: slapd ACL - limit bind to employeeType=<various>
- Subject: Re: slapd ACL - limit bind to employeeType=<various>
- From: Tim Watts <tim.j.watts@kcl.ac.uk>
- Date: Mon, 11 Apr 2016 09:50:13 +0100
- Authentication-results: openldap.org; dkim=none (message not signed) header.d=none;openldap.org; dmarc=none action=none header.from=kcl.ac.uk;
- Cc: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- In-reply-to: <6ed2005ec9f849478cb94dee3751452e@AM4PR03MB1682.eurprd03.prod.outlook.com>
- References: <570ACD82.5070000@kcl.ac.uk> <f9a748d036b34a9290d70b247049f210@AM4PR03MB1682.eurprd03.prod.outlook.com> <570B5988.9080109@kcl.ac.uk> <6ed2005ec9f849478cb94dee3751452e@AM4PR03MB1682.eurprd03.prod.outlook.com>
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:23
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0
Hi Michael,
On 11/04/16 09:11, Michael Ströder wrote:
OK - I'm going to have to get my head around that :) On a test
platform... Am I right in thinking the job of the 2nd ACL is because
if employeeType is Archive|Delete, the first ACL will simple fall
through - so the second ACL is semantically a "Deny All"?
Yepp.
Thanks! That's clearer now.
One other thing - I did not mention, which is retrospect might be
important:
I don't let slapd store password hashes - it passes through to
Kerberos via saslauthd. So the attribute is of this form:
userPassword: {SASL}someuser@MY.KERB.REALM
I presume that blocking access to userPassword will still cause
authentication to fail in this case as it won't be able to do that
lookup?
Yes, I think so. But I never used saslauthd myself.
I'll set up a test and confirm to this list (to make the archive of this
thread more useful to someone else).
I thought you'd say that :) I'm OK with limiting access to the parent
directory (in this case to the slapd user and root). For me, it feels
simpler. You may disagree, but I just wanted to say it wasn't an
oversight.
Your server, your attack vectors...
:)
Cheers!
Tim
--
Tim Watts Tel (VOIP): +44 (0)1580 848360
Systems Manager Kings Digital Lab (KDL), King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/