[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ACLs: restrict by IP and user

To: Aaron Richton <richton@nbcs.rutgers.edu>
Subject: Re: ACLs: restrict by IP and user
From: Janne Peltonen <janne.peltonen@helsinki.fi>
Date: Thu, 28 Apr 2016 15:10:18 +0300
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <alpine.SOC.2.02.1604271201070.11155@toolbox.rutgers.edu>
References: <20160427142343.GC31889@helsinki.fi> <alpine.SOC.2.02.1604271201070.11155@toolbox.rutgers.edu>
User-agent: Mutt/1.5.23 (2014-03-12)

On Wed, Apr 27, 2016 at 12:10:31PM -0400, Aaron Richton wrote:
> Yes, this should be possible, something along the lines of:
> 
> access to attrs=somethingPrivate
> 	by self none break
> 	by * none
> 
> access to attrs=somethingPrivate
> 	by peername.ip="1.2.3.0%255.255.255.0" write
> 	by * none

Thanks for the tip, this really does seem to work. :)

As we're building a proxy configuration, this requires some reordering of the
ACLs. Until now, the ACLs have all resided on the backend servers, and the
proxy hasn't had anything (it has been configured as a read only meta database).

This would require moving at least some of the ACLs to the proxy, because the
backend sees all the connections as coming from the proxy, correct?

But this introduces an additional problem. Some of the attributes that require
"self" from a certain IP address should also work when a member of a certain
group accesses the attribute from anywhere.

So something like this should work:

--clip--
access to attrs=somethingPrivate
      by group/groupOfUniqueNames/uniqueMember.exact="cn=somegroup,ou=somebranch,dc=dom,dc=ain" read
      by self none break
      by * none

access to attrs=somethingPrivate
      by peername.ip="1.2.3.0%255.255.255.0" write
      by * none
--clip--

But if I put this kind of an ACL entry to my proxy, when a member of the group
"cn=somegroup,ou=somebranch,dc=dom,dc=ain" tries to access somethingPrivate,
the ACL checker falls all the way through to the "by * none" WHO clause and no
access is granted.

I have added the acl-authcDN and acl-passwd config lines to my meta backend
config after the URI, but they don't seem to have any effect. Moreover, I found
this:

  http://www.openldap.org/lists/openldap-devel/201208/msg00002.html

which says

--clip--
I see a few puzzling inconsistencies, like the existence of acl-passwd and
acl-authcDN keywords that don't actually have any functional code behind them.
I would guess they should have been replaced with acl-bind but there's no
implementation of that anywhere either.
--clip--

Wonder if that's still true? If so, what'd be a working method to check group
based ACLs on the proxy?

I'm running 2.4.39 from the RHEL 7 distribution.

--Janne Peltonen
University of Helsinki

Follow-Ups:
- Re: ACLs: restrict by IP and user
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

References:
- ACLs: restrict by IP and user
  - From: Janne Peltonen <janne.peltonen@helsinki.fi>
- Re: ACLs: restrict by IP and user
  - From: Aaron Richton <richton@nbcs.rutgers.edu>

Prev by Date: Q: "dn: cn=Uptime,cn=Time,cn=Monitor" non-monotonic occasionally?
Next by Date: Re: ACLs: restrict by IP and user
Index(es):
- Chronological
- Thread