[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.

To: ando@sys-net.it
Subject: Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
From: Buchan Milne <bgmilne@obsidian.co.za>
Date: Tue, 15 Jun 2004 16:21:04 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <63367.81.72.89.40.1087299943.squirrel@81.72.89.40>
References: <7A1D7964C7C943419AB6D2C3233838530328FCE7@excsrv44.mayo.edu> <OF5C68A7D5.216198F2-ONC1256EB4.00349DC1-C1256EB4.00362E26@svt.se> <49308.131.175.154.56.1087294955.squirrel@131.175.154.56> <40CED635.4040804@obsidian.co.za> <63367.81.72.89.40.1087299943.squirrel@81.72.89.40>
User-agent: Mozilla Thunderbird 0.6 (X11/20040609)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Pierangelo Masarati wrote:

| This is another issue.  please use the ITS if you think there's a bug.
| Note that this part of ACLs has been the subject of a debate recently;
| global scope ACLs are supposed to behave as they used to be from all
| times; only, they are evaluated AFTER those database specific; so if you
| have something like
|
| <slapd.conf>
| # ...
| access to attrs=userpassword
|     by * =x
|
| database xxx
| # ...
| access to *
|     by * read
| </slapd.conf>
|
| then of course the global rule will never be used.  I'm positive
| the behavior didn't change; if it did, then it's an error and deserves
| an ITS.

Hmm, how about a configuration with a global ACL like:

# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
	attrs=lmPassword,ntPassword,sambaLMPassword,sambaNTPassword,userPassword
~        by self write
~        by dn="uid=root,ou=People,$2" write
~        by group="cn=Domain Controllers,ou=Group,$2" write
~        by anonymous auth
~        by * none

Then, a database definition like:
directory       /var/lib/ldap

...

access to *
~        by dn.exact="uid=root,ou=People,dc=example,dc=com" write
~        by group="cn=Replicator,ou=Group,dc=example,dc=com" write
~        by * read

Now, if we have the final rule "by * read", then we aren't protecting
the password, and if we have "by * none", then we can't do anonymous
auth or let users change their passwords. Catch 22.

Global ACLs should (IMHO) be global ... otherwise they are useless (at
least if you have a replica).

If global ACLs are processed first, then they can be generic enough for
most purposes, and database-specific ACLs can tighten up the last bits.
But, if they are processed last, they are either used (with no
customisation available), or they aren't.

Maybe there are counter-arguments?

Regards,
Buchan

- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAzwXQrJK6UGDSBKcRAklLAKCJ3dBLNZXLf2M9rV3EwuFj+EDEMwCdHnNO
+yiYrO9JdivnD+o/n1CYI5E=
=y2/p
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
  - From: Quanah Gibson-Mount <quanah@stanford.edu>

References:
- RE: Bdb defaults - WAS: problem importing entries.
  - From: "Armbrust, Daniel C." <Armbrust.Daniel@mayo.edu>
- Ang. RE: Bdb defaults - WAS: problem importing entries.
  - From: Frank Hoffsummer <frank.hoffsummer@svt.se>
- Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
  - From: Buchan Milne <bgmilne@obsidian.co.za>
- Re: Ang. RE: Bdb defaults - WAS: problem importing entries.
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: slapadd/cat works, ldapadd/search doesn't?
Next by Date: RE: Bdb defaults - WAS: problem importing entries.
Index(es):
- Chronological
- Thread