[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Problem with ACLs

To: "Bill Bradford" <mrbill@mrbill.net>, <openldap-technical@openldap.org>
Subject: RE: Problem with ACLs
From: Jason Trupp <jtrupp@symas.com>
Date: Fri, 31 Aug 2018 12:58:48 -0500 (CDT)
Content-language: en-us
In-reply-to: <20180831175550.GY12349@mrbill.net>
References: <20180830191722.GW12349@mrbill.net> <005301d4413a$a62c59a0$f2850ce0$@symas.com> <20180831175550.GY12349@mrbill.net>
Thread-index: AQGIeEndIsiN32eoK3qlZef4se5NQQGrbNzHAh6h7vWlU2dOAA==
Thread-topic: Problem with ACLs

Yes sir, per the ldap.conf man page there is no SSL ON option. Please
comment that line out and try the slapacl command again.

Thanks,
Jason Trupp
Symas Corporation
(855) LDAP-GUY

-----Original Message-----
From: Bill Bradford <mrbill@mrbill.net> 
Sent: Friday, August 31, 2018 12:56 PM
To: Jason Trupp <jtrupp@symas.com>; openldap-technical@openldap.org
Subject: Re: Problem with ACLs

On Fri, Aug 31, 2018 at 09:55:25AM -0500, Jason Trupp wrote:
>Bill,
>The slapacl command can help here. It analyzes permissions granted by 
>the ACLs and if the -d -1 option (debugging) is included with the 
>command it will tell which ACL is processed that grants what 
>permission. That will help you identify why your user isn't being 
>granted the permissions you expect. Below are a couple examples. You 
>can craft your own slapacl command from them.
<snip>
>Let me know if you need further assistance.

Jason, thanks.

I'll start with: my server is working fine, I have a multi-master
replication set up (one master in each city) with a read-only slave in
each city that the clients hit.

Tried this (slapacl) last night, but it seems to be assuming that
everything is in ldap.conf instead of in separate files as per the newer
config ways:

(actual BaseDN replaced with dc=domain,dc=com for security reasons)

[root@hou-1 openldap]# slapacl -f /etc/openldap/ldap.conf -v -D
"uid=romanager,ou=Users,dc=domain,dc=com" -b
"employeeNumber=413111,ou=people,dc=domain,dc=com" userPassword/read
5b897f57 /etc/openldap/ldap.conf: line 15: unknown directive <SSL> outside
backend info and database definitions.
slapacl: bad configuration file!

My /etc/openldap/ldap.conf looks like this:

-------------------------------------------
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE    dc=example,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666

#SIZELIMIT    12
#TIMELIMIT    15
#DEREF        never

SSL ON
TLS_CACERTDIR    /etc/openldap/certs
TLS_REQCERT allow
TLSVerifyClient never

TLSCACertificateFile /etc/openldap/certs/ca-bundle.crt TLSCertificateFile
/etc/openldap/certs/server.crt TLSCertificateKeyFile
/etc/openldap/certs/server.key

# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON    on
-------------------------------------------

All of my actual config is under /etc/openldap/slap.d:

[root@hou-1 slapd.d]# pwd
/etc/openldap/slapd.d
[root@hou-1 slapd.d]# find . -print
.
./cn=config.ldif
./cn=config
./cn=config/olcDatabase={-1}frontend.ldif
./cn=config/cn=schema.ldif
./cn=config/cn=schema
./cn=config/cn=schema/cn={8}sudo.ldif
./cn=config/cn=schema/cn={3}inetorgperson.ldif
./cn=config/cn=schema/cn={5}openssh-lpk.ldif
./cn=config/cn=schema/cn={6}apple-user.ldif
./cn=config/cn=schema/cn={0}core.ldif
./cn=config/cn=schema/cn={7}domain.ldif
./cn=config/cn=schema/cn={1}cosine.ldif
./cn=config/cn=schema/cn={4}ldapns.ldif
./cn=config/cn=schema/cn={2}nis.ldif
./cn=config/out
./cn=config/olcDatabase={1}monitor.ldif
./cn=config/cn=module{0}.ldif
./cn=config/olcDatabase={0}config.ldif
./cn=config/olcDatabase={2}hdb
./cn=config/olcDatabase={2}hdb/olcOverlay={2}syncprov.ldif
./cn=config/olcDatabase={2}hdb/olcOverlay={1}syncprov.ldif
./cn=config/olcDatabase={2}hdb/olcOverlay={0}syncprov.ldif
./cn=config/olcDatabase={2}hdb.ldif

>-----Original Message-----
>From: openldap-technical <openldap-technical-bounces@openldap.org> On 
>Behalf Of Bill Bradford
>Sent: Thursday, August 30, 2018 2:17 PM
>To: openldap-technical@openldap.org
>Subject: Problem with ACLs
>
>Trying to give a single user "read only" access to everything in the 
>database including userPassword info.
>
>Here's the LDIF file I'm using w/ldapmodify:
>
>dn: olcDatabase={2}hdb,cn=config
>changetype: modify
>replace: olcAccess
>olcAccess: {0}to attrs=userPassword,shadowLastChange
>  by dn="cn=Manager,dc=domain,dc=com" write
>  by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
>  by anonymous auth
>  by self write
>  by * none
>olcAccess: {1}to dn.base=""
>  by * read
>olcAccess: {2}to *
>  by dn="cn=Manager,dc=domain,dc=com" write
>  by * read
>
>However, authenticating as uid=romanager,ou=Users,dc=domain,dc=com
>lets that user read his own password hash, but nobody else's.  In other 
>words it's authenticating just like any other user, and it's as if the
>
>by dn.exact="uid=romanager,ou=Users,dc=domain,dc=com" read
>
>line is being ignored.  The change is being applied as I've looked at 
>the database files for the config.  I've tried restarting slapd, etc.
>
>Any suggestions?
>
>@(#) $OpenLDAP: slapd 2.4.44 (Aug  4 2017 14:23:27) $
>
>Bill
>
>--
>Bill Bradford
>Houston, Texas USA

--
Bill Bradford
Houston, Texas USA

Follow-Ups:
- Re: Problem with ACLs
  - From: Bill Bradford <mrbill@mrbill.net>

References:
- Problem with ACLs
  - From: Bill Bradford <mrbill@mrbill.net>
- RE: Problem with ACLs
  - From: Jason Trupp <jtrupp@symas.com>
- Re: Problem with ACLs
  - From: Bill Bradford <mrbill@mrbill.net>

Prev by Date: Re: Problem with ACLs
Next by Date: Re: Problem with ACLs
Index(es):
- Chronological
- Thread