[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Access auth granularity?

To: openldap-technical@openldap.org
Subject: Re: Access auth granularity?
From: Dora Paula <deepee@gmx.net>
Date: Mon, 9 May 2016 14:21:41 +0200
In-reply-to: <20160509123139.3403715e@pink.avci.de>
References: <57303586.1090500@gmx.net> <20160509102655.7d580298@pink.avci.de> <573051B6.5070606@gmx.net> <20160509123139.3403715e@pink.avci.de>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.7.2

On 09.05.2016 12:31, Dieter Klünter wrote:

Am Mon, 9 May 2016 11:00:38 +0200
schrieb Dora Paula <deepee@gmx.net>:

I searched for security in slapd.access(5) [1] and just found:

"The statements ssf=<n>, transport_ssf=<n>, tls_ssf=<n>, and
sasl_ssf=<n> set the minimum required Security Strength Factor (ssf)
needed to grant access."


In regard to "security" slapd.conf(5) [2] states:

"security <factors>
... The directive may be specified globally and/or per-database."

Thus I don't see how this applies to my goal.


The following statement/example is taken from the current admin guide
[3]:

access to dn="cn=example,cn=edu"
	by * ssf=256 read

Thus I tested, just for fun:
access to dn="ou=usersa,dc=example,dc=com"
	by * sasl_ssf=1 auth

Without success - which seems clear to me, because there is no
sasl-layer known during an initial bind. So, if I'm wrong, could you
please be so kind and go into more detail here?

Thank you very much.

[...]

Any password transport should be protected by some means of transport
security, that is, either  sasl DIGEST-MD5 or TLS.

security=1

access to dn.sub=ou=userA,dc=example,dc=com
  by * sasl_ssf=128 read

access to dn.sub=ou=userB,dc=example,dc=com
  by * ssf=56 read

or alternatively

  by transport_ssf=56 read

-Dieter


Dieter,

please note: Access auth is the question. Thus I think your exampleusing access read misses the point here.

Nevertheless I've set security ssf=1 for the database, used thefollowing acl ...


access to dn.one="ou=usersA,dc=example,dc=com" attrs=cn
  by anonymous sasl_ssf=128 auth
  by users read
  by * none

... and tried an "ldapwhoami -Y DIGEST-MD5 -U ...", which does not workas expected. Please see the "ACL 1 > OP 0" in the following log excerpt:

57307aa4 => acl_mask: access to entry"cn=test,ou=usersA,dc=example,dc=com", attr "cn" requested

57307aa4 => acl_mask: to value by "", (=0)
57307aa4 <= check a_dn_pat: anonymous
57307aa4 <= check a_authz.sai_sasl_ssf: ACL 1 > OP 0
57307aa4 <= check a_dn_pat: self
57307aa4 <= check a_dn_pat: *
57307aa4 <= acl_mask: [5] applying none(=0) (stop)
57307aa4 <= acl_mask: [5] mask: none(=0)
57307aa4 => slap_access_allowed: auth access denied by none(=0)

General note regaring my setup:

Without the security and ssf stuff the test user can successfully bindusing simple and sasl bind - so far so good. All I would like toachieve, is to restrict binds locally (see dn.one=...) to sasl-only,without disallowing simple bind globally.


Is this possible? If yes, how?

Thanks again.

References:
- Access auth granularity?
  - From: Dora Paula <deepee@gmx.net>
- Re: Access auth granularity?
  - From: Dieter Klünter <dieter@dkluenter.de>
- Re: Access auth granularity?
  - From: Dora Paula <deepee@gmx.net>
- Re: Access auth granularity?
  - From: Dieter Klünter <dieter@dkluenter.de>

Prev by Date: Re: Access auth granularity?
Next by Date: Re: Access auth granularity?
Index(es):
- Chronological
- Thread