[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP: ACLs using sockname and DN?
Greetings.
In OpenLDAP (2.4.45, on FreeBSD), I'm trying to constrain the access of
a DN to an attribute, by giving a DN access only when the connection is
made via a socket; but without success. I may just be looking for an
example of correct use.
What I'm trying is
olcAccess: to attrs=userPassword
by dn.base="uid=pwreset,ou=service,dc=example,dc=edu"
sockname.exact="/var/run/openldap/ldapi"
write
(the idea is that the pwreset DN can be used by an automatic
password-reset script, but that that DN will have that access only when
the script is running on the same machine as the LDAP server).
This `by` phrase appears to match the production in Sect. 8.3 of the
OpenLDAP access control documentation, and the remark in slapd.access(5)
that the items in the <who> field ‘may be specified in combination’.
And indeed there are no syntax warnings generated. I'm presuming that
the combination implies an AND rather than an OR – this isn't made
explicit in the documentation. I can find no examples covering this in
either OpenLDAP documentation or on the web.
This stanza works when the sockname element is absent, suggesting that
the configuration is otherwise working as I expect.
When I try to write the userPassword attribute using this DN, I get an
ldap_modify: Insufficient access (50) error.
The OpenLDAP documentation doesn't (somewhat surprisingly) explicitly
state what the effect of this sockname element is, and the
slapd.access(5) page says, rather obliquely, that:
The statements peername=<peername>, sockname=<sockname>,
domain=<domain>, and sockurl=<sockurl> mean that the contacting host
IP (in the form IP=<ip>:<port> for IPv4, or IP=[<ipv6>]:<port> for
IPv6) or the contacting host named pipe file name (in the form
PATH=<path> if connecting through a named pipe) for peername, the
named pipe file name for sockname, the contacting host name for
domain, and the contacting URL for sockurl are compared against
pattern to determine access.
Saying 'determine access' doesn't actually say very much.
Have I completely misunderstood the point of this access specification,
or is there another way to do this?
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk