Re: slapd ACL - limit bind to employeeType=<various>

[Tim Watts <tim.j.watts@kcl.ac.uk>]

Hi Michael,

On 11/04/16 09:11, Michael Ströder wrote:

> > OK - I'm going to have to get my head around that :) On a test
> > platform... Am I right in thinking the job of the 2nd ACL is because
> > if employeeType is Archive|Delete, the first ACL will simple fall
> > through - so the second ACL is semantically a "Deny All"?
>
> Yepp.

Thanks! That's clearer now.

> > One other thing - I did not mention, which is retrospect might be
> > important:
> >
> > I don't let slapd store password hashes - it passes through to
> > Kerberos via saslauthd. So the attribute is of this form:
> >
> > userPassword: {SASL}someuser@MY.KERB.REALM
> >
> > I presume that blocking access to userPassword will still cause
> > authentication to fail in this case as it won't be able to do that
> > lookup?
>
> Yes, I think so. But I never used saslauthd myself.

I'll set up a test and confirm to this list (to make the archive of this 
thread more useful to someone else).


> > I thought you'd say that :) I'm OK with limiting access to the parent
> > directory (in this case to the slapd user and root). For me, it feels
> > simpler. You may disagree, but I just wanted to say it wasn't an
> > oversight.
>
> Your server, your attack vectors...

:)

Cheers!

Tim


--
Tim Watts                               Tel (VOIP): +44 (0)1580 848360
Systems Manager         Kings Digital Lab (KDL), King's College London
Systems Messages and Notifications: https://systemsblog.cch.kcl.ac.uk/