[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Attempting to set Access Control for auth to Perl Backend

To: 'Quanah Gibson-Mount' <quanah@symas.com>, "'openldap-technical@openldap.org'" <openldap-technical@openldap.org>
Subject: RE: Attempting to set Access Control for auth to Perl Backend
From: Etan Weintraub <eweintra@jhmi.edu>
Date: Tue, 6 Jun 2017 18:57:31 +0000
Accept-language: en-US
Content-language: en-US
In-reply-to: <9DB45601755AD85454FCC290@[192.168.1.19]>
Ironport-phdr: 9a23:7iFwxh8v6sGx8/9uRHKM819IXTAuvvDOBiVQ1KB+0+4VIJqq85mqBkHD//Il1AaPBtSEra8VwLON6ujJYi8p2d65qncMcZhBBVcuqP49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL1LdrWev4jEMBx7xKRR6JvjvGo7Vks+7y/2+94fdbghMhjexe7N/IRG5oQnMuMQanJZpJ7osxBfOvnZGYfldy3lyJVKUkRb858Ow84Bm/i9Npf8v9NNOXLvjcaggQrNWEDopM2Yu5M32rhbDVheA5mEdUmoNjBVFBRXO4QzgUZfwtiv6sfd92DWfMMbrQ704RSiu4qF2QxLzliwJKyA2/33WisxojaJUvhShpwBkw4XJZI2ZLedycr/Bcd8fQ2dKQ8RfWDFbAo6kb4UBEfcPPfpWoYf+qVsBrxq+ChWjC+70xT9EmmP60LUm3+g9DA3L2hErEdIUsHTTqdX4LKgcUfyvw6nO0D7Mb+1Z2Tb76IjUaBAuu+yMUqltesfW10YuGR3KjlSWqYz5JTOazP8As2qb7+plVOKjkXAopBxsojW2wMonl4fHhoUQyl/e9CV5xp44Jca4SU5+e9GkC4FcuD2dN4tzRM4pXmJmuD4ix7EbpZK3ZjUGxZc6yxLFdfCKc5KE7gz+WOuVOTt0mW5pdKiiixu960Stzu/xWtOq3FpXoCdJitfMuW4O2hDP78WKT/hw8lqg1DqR0g3f9/pLLEQ0mKfeNZEsw6M/mYYWvEjdAyD5hl/5gamLfUs+4Oeo8f7oYrD+q5+ZMI97lx/xP7w1msy6HeQ4Kg8OX3WH+eik1L3s40n5QLJSg/M5j6fXsZfUK9obqaC2AgBZz4Iu5wyxDjen1tQUh2MII09fdBKFj4jpJkvCL+7lAveim1iskTFryO7aPrD5H5nBMmLPnKricLpg8UJQ1go+wcpB655JDrwNOPfzVVXwtNzcAB85KQu0w+P/Bdpj2IIRR2OPAqmFMKPIq1CF/eAvI+mJZI8UojryNeUq5+P2gX8jhVAdZbWp3YcQaH2gB/RmPl+WYXz2jdcBCmoKpQo/TOnwh12ZSzJce3GyX6ck7DEhFI2mFZvDRpyqgLGZ2ye7BoNZZmZCCl+RC3job5yIW+sSZy2OIs9hlD0EWqS7RI8lzhyusxf6xKRhLurQ5yIXr4rj2MJy5+3JmhFhvQBzWoukzmiLRmE8sWICXDgwmYV4vEphhR/XyLVxhfVYPcdC4vpSFAw9MMiYh6Y1DMj/XAbNd8/MVFutQtOnCjg1ZtUpztkKb09lXdK4gV+Jl36tG7ITk7CCHNko/6nc2Xn6LsJVzG7L0q0thkFgRdFAYz6InKl6oiXPDoiBrEiYkbqwfLkWlHrA62qCy3aUtWlaUAtxF6jJQCZMNQPtsd3l6xaaHPeVArM9P14EkJbaJw==
References: <d5fcf73dbc164558bf550e6eee3aa71b@ESGEBEX18.win.ad.jhu.edu> <WM!376a3c03d7334b13d2c270116546b93ea4b0b466885129bfa31ec1f7650d60b785722109ed5b482a42f467e59e05b39c!@mailstronghold-3.zmailcloud.com> <9DB45601755AD85454FCC290@[192.168.1.19]>
Thread-index: AdLe4ejeEyz9LmOETpCS7plLR6hIvgAEi5wmAAB7PrA=
Thread-topic: Attempting to set Access Control for auth to Perl Backend

So, the only place I have bind defined in the Perl Backend is the one on
dc=mfa, there is nothing else that can bind anywhere. I don't want anything
to be able to do anything other than a straight LDAP bind to the dc=mfa
branch, they don't even do a search against it, just straight connect, bind,
disconnect.

The solution you gave below doesn't seem to work either, as no error code is
returned.

If I could somehow get the originating IP address passed in to Perl, I could
have it check that and return error code 53 or something similar, but right
now, it's passing everything into Perl, regardless of the IP address, and
authenticating the user.

-Etan E. Weintraub
Information Security Architect
IT@Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Davis Building Suite 3110B
Baltimore, MD 21209
Phone: 667-208-6309
E-mail: eweintra@jhmi.edu

-----Original Message-----
From: Quanah Gibson-Mount [mailto:quanah@symas.com] 
Sent: Tuesday, June 6, 2017 2:37 PM
To: Etan Weintraub <eweintra@jhmi.edu>; 'openldap-technical@openldap.org'
<openldap-technical@openldap.org>
Subject: Re: Attempting to set Access Control for auth to Perl Backend

--On Tuesday, June 06, 2017 5:32 PM +0000 Etan Weintraub 
<eweintra@jhmi.edu> wrote:

> I now need to do the same type of thing for another branch, but for
> authentication instead (i.e. only allow auth to occur if coming from an
> approved IP). I've tried the following:
>
> access to dn.sub="dc=mfa"
>
>         by peername.ip=127.0.0.1 auth
>
>         by peername.ip=10.181.24.193 auth
>
>         by * none
>
>
>
> But no luck. Any ideas/help? If I can't do this with an ACL, if I can
> get the IP address of the request passed in to the bind function in the
> Perl backend, I can handle the controls there.

That's not really what "auth" access means.  Are you using simple binds? 
If so, I'd try something like:

access to dn.sub="dc=mfa" attrs=userPassword
        by peername.ip=127.0.0.1 anonymous auth
        by peername.ip=10.181.24.193 anonymous auth
        by <admin> write

access to dn.sub="dc=mfa"
	by users read

Now this makes some assumptions: a) Users auth against an entry in the 
dc=mfa tree, and b) that users only exist in that tree.

Alternatively, you may wish to look at set based ACLs to set it so that 
only entries that exist /in/ the dc=mfa tree can read entries in the dc=mfa 
tree, combined with the IP restrictions.

--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Follow-Ups:
- Re: Attempting to set Access Control for auth to Perl Backend
  - From: Michael Ströder <michael@stroeder.com>

References:
- Attempting to set Access Control for auth to Perl Backend
  - From: Etan Weintraub <eweintra@jhmi.edu>
- Re: Attempting to set Access Control for auth to Perl Backend
  - From: Quanah Gibson-Mount <quanah@symas.com>

Prev by Date: Re: Attempting to set Access Control for auth to Perl Backend
Next by Date: Security Enclaves
Index(es):
- Chronological
- Thread