[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Check synchro : access only to contextcsn
- To: openldap-technical@openldap.org
- Subject: Re: Check synchro : access only to contextcsn
- From: Dieter Klünter <dieter@dkluenter.de>
- Date: Thu, 18 Oct 2018 17:47:34 +0200
- In-reply-to: <CAFkMs3M9329=cFRBk8noaFw+ebL_d2EMu6LFedT2HUT5gJeh6w@mail.gmail.com>
- Organization: AVCI
- References: <CAFkMs3NG7RcUFY4gTRArn=dHZDSrD15-sW4r6NeAjf+tAX_M4g@mail.gmail.com> <20181016175446.7c844158@pink.fritz.box> <FB0D7512A6499D3DDF02394F@192.168.1.39> <CAFkMs3M9329=cFRBk8noaFw+ebL_d2EMu6LFedT2HUT5gJeh6w@mail.gmail.com>
Am Thu, 18 Oct 2018 09:48:22 +0200
schrieb Lirien Maxime <maxime.lirien@gmail.com>:
> Damn ! my ACL don't work despites your help :-/
Run slapd in debugging mode 'acl' or test with slapacl(8)
note that contextCSN is stored in root entry.
-Dieter
>
> In the log it seems that "supervision" can't access dc=fr, it starts
> from dc=gouv,dc=fr.
> Without rule#3, it's ok because of rule #5.
> But with rule#3 it's supposed to match contextCSN
>
> Thanks guys.
>
> Here are my ACL :
>
> # 1) Admin's branch
> access to dn.subtree="ou=Comptes Admin,dc=fr"
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by self auth
> by users auth
> by anonymous auth
>
> # 2) userPassword accessible by all
> access to * attrs=userPassword
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by users auth
> by anonymous auth
> by * none
>
>
> *# 3) ********* CONTEXTCSN **********
>
> *access to dn.base="dc=fr" attrs=entry,children,contextcsn*
>
>
> * by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read by
> dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read by * none*
>
> # 4) Certificate
> access to *
> attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
> by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by * none
>
>
> # 5) Branch dc=gouv,dc=fr
> access to dn.subtree="dc=gouv,dc=fr"
> by dn.subtree="ou=Comptes Clients,dc=fr" read
> by dn.subtree="ou=Comptes Admin,dc=fr" write
> by * none
>
>
> # 6) All the tree
> access to *
> by dn.exact="cn=root,dc=fr" write
> by dn.subtree="ou=Comptes Admin,dc=fr" read
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by self none
> by users none
> by anonymous none
> by * none
>
>
> On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount <quanah@symas.com>
> wrote:
>
> > --On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
> > <dieter@dkluenter.de> wrote:
> >
> > > Am Tue, 16 Oct 2018 15:51:50 +0200
> > > schrieb Lirien Maxime <maxime.lirien@gmail.com>:
> > >
> > >> Hi all,
> > >> thanks for reading.
> > >> I have a "supervision" account on all my ldap servers. With the
> > >> plugin nagios , it check the synchro. I would like this account
> > >> read only contextcsn to check synchro. And only contextcsn not
> > >> the other entries. (plugin check nagios).
> > >> Can someone help me to write the right ACL ?
> > >>
> > >> Here what I tried but not really right :-/
> > >> # ContextCSN
> > >> access to dn.subtree="dc=fr" attrs=contextCSN
> > >> by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
> > >> by * none
> > >
> > > access to dn.base=dc=fr
> > > attrs=entry,children,contextCSN read
> >
> > I'd also be careful of doing "by * none" to the contextCSN, etc, as
> > that can break replication depending on the DN that binds to the
> > master(s), since the replication DN must be able to read the
> > contextCSN.
> >
> > --Quanah
> >
> >
> >
> > --
> >
> > Quanah Gibson-Mount
> > Product Architect
> > Symas Corporation
> > Packaged, certified, and supported LDAP solutions powered by
> > OpenLDAP: <http://www.symas.com>
> >
> >
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E