[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Ang. RE: Bdb defaults - WAS: problem importing entries.

Hash: SHA1

Pierangelo Masarati wrote:

| This is another issue.  please use the ITS if you think there's a bug.
| Note that this part of ACLs has been the subject of a debate recently;
| global scope ACLs are supposed to behave as they used to be from all
| times; only, they are evaluated AFTER those database specific; so if you
| have something like
| <slapd.conf>
| # ...
| access to attrs=userpassword
|     by * =x
| database xxx
| # ...
| access to *
|     by * read
| </slapd.conf>
| then of course the global rule will never be used.  I'm positive
| the behavior didn't change; if it did, then it's an error and deserves
| an ITS.

Hmm, how about a configuration with a global ACL like:

# Protect passwords, using a regex so we can have generic accounts with
# write access
# Openldap will not authenticate against non-userPassword attributes
# but we would have to duplicate most rules ...
access to dn="(.+,)?,ou=.+,(dc=.+,?)+$$"
~        by self write
~        by dn="uid=root,ou=People,$2" write
~        by group="cn=Domain Controllers,ou=Group,$2" write
~        by anonymous auth
~        by * none

Then, a database definition like:
directory       /var/lib/ldap


access to *
~        by dn.exact="uid=root,ou=People,dc=example,dc=com" write
~        by group="cn=Replicator,ou=Group,dc=example,dc=com" write
~        by * read

Now, if we have the final rule "by * read", then we aren't protecting
the password, and if we have "by * none", then we can't do anonymous
auth or let users change their passwords. Catch 22.

Global ACLs should (IMHO) be global ... otherwise they are useless (at
least if you have a replica).

If global ACLs are processed first, then they can be generic enough for
most purposes, and database-specific ACLs can tighten up the last bits.
But, if they are processed last, they are either used (with no
customisation available), or they aren't.

Maybe there are counter-arguments?


- --
Buchan Milne                      Senior Support Technician
Obsidian Systems                  http://www.obsidian.co.za
B.Eng                                RHCE (803004789010797)
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org