[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Problem with localhost unauthenticated bind

To: Quanah Gibson-Mount <quanah@zimbra.com>, "openldap-technical@openldap.org >> \"openldap-technical@openldap.org\"" <openldap-technical@openldap.org>
Subject: Re: Problem with localhost unauthenticated bind
From: Tim Watts <tw@dionic.net>
Date: Tue, 22 May 2012 09:35:03 +0100
In-reply-to: <643BC5840024CD2B7DBF5022@[192.168.1.49]>
References: <4FBA1C2C.4060209@dionic.net> <643BC5840024CD2B7DBF5022@[192.168.1.49]>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

Hi Quanah,

On 22/05/12 03:26, Quanah Gibson-Mount wrote:

--On Monday, May 21, 2012 11:42 AM +0100 Tim Watts <tw@dionic.net> wrote:

Hi,

I'm having a problem with a new LDAP server (slapd 2.4.23-7.2)

I'd like to have root@localhost be able to perform "manage" operations on
the slapd on the localhost *only* - all other ACLs would be pretty
standard.

The machine itself is considered secure.

Ideally, I'd like to do this with a mode(600) Unix Domain Socket owned by
root.

How do you enable an "manage" ACL for the entire DN if and only if the
access comes via the unix socket?

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * none


This says "self" can write to these attributes, regardless of origination
This says "anonymous" can access these when authenticating
This says the user "cn=admin..." can write to these attributes

olcAccess: {1}to dn.base="" by * read


This says anyone can read the base

olcAccess: {2}to * by peername.regex=127\.0\.0\.1 manage ###<<< Added


This is garbage

I'd go as far as "complete bollocks" ;-> I do not yet have a feel forthis style of ACL, so I'm not surprised...

because you unnecessarily escaped the periods.


Ah. I did that because it is a regex (thinking in perl).

Also,
there is no need to use a regex, since you are being exact.


Yes - that does seem kind of obvious now you just said it :-o

olcAccess: {3}to * by self write by
dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by * read


This ACL will never be evaluated because the ACL prior to this already
references "*".


Ah - I see...

My *guess* at what you are trying to do above would be:

olcAccess: {2}to * by self write by
dn="cn=admin,dc=cch,dc=kcl,dc=ac,dc=uk" write by peername.ip=127.0.0.1
manage by peername.ip=::1 manage by * read


Cool - I'll try that.

However, this still isn't what you want, because that isn't restricting
by domain socket. As noted in the slapd.access man page, if you want to
limit by domain socket, you need to use the "path" prefix. I.e.

peername.path=/path/to/socket

for example:

peername.path="/var/run/ldapi"


Ah - I see - sorry, my bad for not reading properly...

Anyway - big thanks - you've helped me to get a sane starting point.Once I get the hang of how the basics work, I should be able toexperiment and learn some more...


All the best,

Tim

--
Tim Watts
Personal Blog: http://www.dionic.net/tim/

References:
- Problem with localhost unauthenticated bind
  - From: Tim Watts <tw@dionic.net>
- Re: Problem with localhost unauthenticated bind
  - From: Quanah Gibson-Mount <quanah@zimbra.com>

Prev by Date: Re: Fwd: Root cause: Strange OpenLdap performace issue
Next by Date: Re: Fwd: Root cause: Strange OpenLdap performace issue
Index(es):
- Chronological
- Thread