Re: Insufficient acces in some cases

[Ervin Hegedüs <airween@gmail.com>]

Hi,

On Tue, Sep 18, 2018 at 11:21:07PM +0200, Clément OUDOT wrote:
> 
> 
> Le 18/09/2018 à 23:10, Ervin Hegedüs a écrit :
> > Hi,
> >
> > On Tue, Sep 18, 2018 at 10:34:55PM +0200, Clément OUDOT wrote:
> >>
> >> Le 18/09/2018 à 22:23, Ervin Hegedüs a écrit :
> >
> > olcAccess: {0}to attrs=userPassword,shadowLastChange
> >   by self write
> >   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
> >   by anonymous auth
> >   by * none
> > olcAccess: {1}to dn.subtree="ou=OU1,dc=service1,dc=bigcompany,dc=hu"
> >   by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
> >   by * none
> > olcAccess: {2}to dn.regex="ou=(comp1|comp2|comp3),dc=service1,dc=bigcompany,dc=hu"
> >   by dn="uid=_srvuser2,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
> >   by * none
> > olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu"
> >   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
> >   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
> >   by * none
> > olcAccess: {4}to *
> >   by self write
> >   by anonymous auth
> >   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
> >   by * none
> >
> >
> >> Are you sure that a user can modify userPassword and sambaNT/LM password
> >> attributes?
> > yes, I'm sure.
> >
> > The NT/LM password attribures aren't named any place, the
> > userPassword is, but all user can modify its own - see ACL's above.
> 
> No, the olcAccess {3} deny all access inside dc=bigcompany,dc=hu, the
> rule {4} is never evaluated.

well, you're right - but then how does it works for other users?

It's too late here (.hu), I'll check it again tomorrow.

 
> > And as I wrote in first mail, the simple "ldapmodify" works as
> > well.
> 
> Do you test to modify only userPassword attribute? Or your modification
> is also on Samba attributes?

no, I just put the userPassword attribute,
 
> > And more important, the other users under the same OU can change
> > their own userpassword/nt/lm password attributes through PHP.
> 
> I don't how, because your ACL allow only userPassword modification for
> 'self'.

yes, that's very interesting.

and one important thing: if this issue is a "simple" ACL problem,
why logs slapd an interesting lines (one char in a line)? Why
just deny the access...?
 
> > The service user (_srvuser1) also can modify (through PHP), but I'ld
> > like to use as the logged user modify its own passwd.
> >
> 
> I think you should merge your ACL like this:
> 
> olcAccess: {3}to dn.subtree="dc=bigcompany,dc=hu"
>   by dn="uid=_srvuser3,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu"
> read
>   by dn="uid=_srvuser4,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu"
> read
>   by
> dn="uid=_srvproftpd,ou=Users,ou=_srv,dc=service1,dc=bigcompany,dc=hu" read
>   by dn="uid=_srvuser1,ou=Users,ou=_srv,dc=hu" write
>   by self write
>   by * none

thanks, as I wrote, it's too late here to focus the problem, I'll
check it tomorrow with fresh brain :).


Thanks for all,


a.