[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Check synchro : access only to contextcsn



Am Thu, 18 Oct 2018 09:48:22 +0200
schrieb Lirien Maxime <maxime.lirien@gmail.com>:

> Damn ! my ACL don't work despites your help :-/

Run slapd in debugging mode 'acl' or test with slapacl(8)
note that contextCSN is stored in root entry.

-Dieter

> 
> In the log it seems that "supervision" can't access dc=fr, it starts
> from dc=gouv,dc=fr.
> Without rule#3, it's ok because of rule #5.
> But with rule#3 it's supposed to match contextCSN
> 
> Thanks guys.
> 
> Here are my ACL  :
> 
> # 1) Admin's branch
> access to dn.subtree="ou=Comptes Admin,dc=fr"
>     by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
>     by self auth
>     by users auth
>     by anonymous auth
> 
> # 2) userPassword accessible by all
> access to * attrs=userPassword
>     by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
>     by users auth
>     by anonymous auth
>     by * none
> 
> 
> *# 3) ********* CONTEXTCSN **********
> 
> *access to dn.base="dc=fr" attrs=entry,children,contextcsn*
> 
> 
> *   by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read   by
> dn.exact="cn=supervision,ou=Comptes Clients,dc=fr" read   by * none*
> 
> # 4) Certificate
> access to *
> attrs=userCertificateAuthentication,userCertificateConfidentiality,userCertificateSigning
>       by dn.exact="cn=clienttest,ou=Comptes Clients,dc=fr" read
>     by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
>     by * none
> 
> 
> # 5) Branch  dc=gouv,dc=fr
> access to dn.subtree="dc=gouv,dc=fr"
>     by dn.subtree="ou=Comptes Clients,dc=fr" read
>     by dn.subtree="ou=Comptes Admin,dc=fr" write
>     by * none
> 
> 
> # 6) All the tree
> access to *
>     by dn.exact="cn=root,dc=fr" write
>     by dn.subtree="ou=Comptes Admin,dc=fr" read
>     by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
>     by self none
>     by users none
>     by anonymous none
>     by * none
> 
> 
> On Tue, Oct 16, 2018 at 6:31 PM Quanah Gibson-Mount <quanah@symas.com>
> wrote:
> 
> > --On Tuesday, October 16, 2018 6:54 PM +0200 Dieter Klünter
> > <dieter@dkluenter.de> wrote:
> >  
> > > Am Tue, 16 Oct 2018 15:51:50 +0200
> > > schrieb Lirien Maxime <maxime.lirien@gmail.com>:
> > >  
> > >> Hi all,
> > >> thanks for reading.
> > >> I have a "supervision" account on all my ldap servers. With the
> > >> plugin nagios , it check the synchro.  I would like this account
> > >> read only contextcsn to check synchro. And only contextcsn not
> > >> the other entries. (plugin check nagios).
> > >> Can someone help me to write the right ACL ?
> > >>
> > >> Here what I tried but not really right :-/
> > >> # ContextCSN
> > >> access to dn.subtree="dc=fr" attrs=contextCSN
> > >>      by dn.subtree="cn=supervision,ou=Comptes Clients,dc=fr" read
> > >>      by * none  
> > >
> > > access to dn.base=dc=fr
> > >    attrs=entry,children,contextCSN read  
> >
> > I'd also be careful of doing "by * none" to the contextCSN, etc, as
> > that can break replication depending on the DN that binds to the
> > master(s), since the replication DN must be able to read the
> > contextCSN.
> >
> > --Quanah
> >
> >
> >
> > --
> >
> > Quanah Gibson-Mount
> > Product Architect
> > Symas Corporation
> > Packaged, certified, and supported LDAP solutions powered by
> > OpenLDAP: <http://www.symas.com>
> >
> >  



-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E