[Date Prev][Date Next] [Chronological] [Thread] [Top]

restrict anonymous read access to posixAccount

To: openldap-technical@openldap.org
Subject: restrict anonymous read access to posixAccount
From: Ingo <Ingo@Hoeft-online.de>
Date: Tue, 02 Jul 2013 13:57:47 +0200
User-agent: Mozilla/5.0 (X11; Linux i686; rv:10.0.12) Gecko/20130116 Icedove/10.0.12

Hello list,

I'm just learning about access control.

I want to setup my clients to manage its posixAccounts and posixGroups
over the ldap Directory. With the default access rights it's working.
Clients are looking anonymous at the directory for the group, e.g. at
boot time or on user login. Syslog shows me:

~$ sudo egrep "slapd\[.*\]: conn=1186" /var/log/syslog
slapd[2340]: conn=1186 fd=13 ACCEPT from IP=192.168.1.64:35566
(IP=0.0.0.0:389)
slapd[2340]: conn=1186 op=0 BIND dn="" method=128
slapd[2340]: conn=1186 op=0 RESULT tag=97 err=0 text=
slapd[2340]: conn=1186 op=1 SRCH base="dc=hoeft-online,dc=de" scope=2
deref=0 filter="(&(objectClass=posixGroup)(gidNumber=1002))"
slapd[2340]: conn=1186 op=1 SRCH attr=cn userPassword memberUid
uniqueMember gidNumber
slapd[2340]: conn=1186 op=1 SEARCH RESULT tag=101 err=0 nentries=1
text=
slapd[2340]: conn=1186 fd=13 closed (connection lost)
~$

slapd ACCEPT a connection from the client, BIND to anonymous
with simple method (BIND dn="" method=128) and searches with
filter="(&(objectClass=posixGroup)(gidNumber=1002))" with SEARCH
RESULT success (err=0 nentries=1).

testing it with:
~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
dn: cn=gemeinsam,ou=groups,ou=home,dc=hoeft-online,dc=de
cn: gemeinsam
gidNumber: 1002
objectClass: top
objectClass: posixGroup
memberUid: ingo
memberUid: uschi
~$

Now I try to restrict anonymous read only to posixGroup and
posixAccount because I don't want anonymous reading other Entries. I
modified the default access control to this:

olcAccess: to filter=
 "(| (objectClass=posixAccount) (objectClass=posixGroup))"
  by anonymous read
olcAccess: to *
  by self write
  by dn=<admin> write
  by * none

now I get:
~$ ldapsearch -xLLL "(&(objectClass=posixGroup)(gidNumber=1002))"
No such object (32)
~$

It works with:
olcAccess: to filter="(objectClass=*)" by anonymous read

or

olcAccess: to filter="(objectClass=top)" by anonymous read

What I'm misunderstanding here?

And yes, I have read slapd.access three times but do not really
understand everything til now.

kind regards
Ingo

Attachment: signature.asc
Description: OpenPGP digital signature

Follow-Ups:
- Re: restrict anonymous read access to posixAccount
  - From: Ingo <Ingo@Hoeft-online.de>

Prev by Date: Mirror mode replication
Next by Date: Re: OpenLDAP multimaster
Index(es):
- Chronological
- Thread