[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: SPAM Adding ACL to an Attribute

To: drukpa <drukpa@micronator.org>, openldap-technical <openldap-technical@openldap.org>
Subject: RE: *****SPAM***** Adding ACL to an Attribute
From: "Marc Roos" <M.Roos@f1-outsourcing.eu>
Date: Tue, 3 Dec 2019 20:01:20 +0100
Content-disposition: inline
In-reply-to: <0bf220ff-7cde-6015-1017-bfa672581500@micronator.org>

 
> -w `cat /var/lib/nethserver/secrets/libuser`

Use -y  option? (and 'echo -n' password to file, thus without newline 
character)


Start with acls something like this (default do not allow access): 

olcAccess: {0} to dn.exact="" by * read
olcAccess: {1} to dn.exact="cn=Subschema" by * read
olcAccess: {2} to attrs=userPassword,shadowLastChange
  by ssf=256 self read
  by ssf=256 anonymous auth
  by * none break
.
.
.
olcAccess: {9} to * by * none

I think my question is in the basis similar to yours, so maybe keep 
track of this for answer.
https://www.mail-archive.com/openldap-technical@openldap.org/msg24126.html


-----Original Message-----
To: openldap-technical@openldap.org
Subject: *****SPAM***** Adding ACL to an Attribute

Hi all,

SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810
OpenLDAP: openldap-2.4.44-21.el7_6.x86_64 Extra package: Self Service 
Password

I am using Self Service Password with question/answer method to change 
the password.
I store the answer in an attibute named: info.

$answer_objectClass = "extensibleObject"; $answer_attribute = "info";

The original Account provider is LDAP which I want to replace with 
Active Directory.
All the user have to choose a question/answer before I replace LDAP with 
AD as the Account provider.


While LDAP is still the Account provider, anybody with console access to 
the server can see the question/answer using the command:

# ldapsearch  -D cn=libuser,dc=directory,dc=nh -w `cat 
/var/lib/nethserver/secrets/libuser` -h 127.0.0.1


# toto, People, directory.nh
dn: uid=toto,ou=People,dc=directory,dc=nh
...
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
shadowLastChange: 18220
userPassword:: cm9ibTEyMDQ0OQ==
info: {car}Honda

I created a Virtual Machine to test the scenario with 3 users.

In NethServer, the original Account provider is LDAP.
I did a script to extract the users and their answers to file.ldif I 
remove LDAP.
I install Active Directory module.
I import the users/groups to AD. In the importation, AD creates new 
passwords for the imported users.
I add a section to Self Service Password for AD.
I modify AD with info.ldip to include the answer.

# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H 
/var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif Modified 
3 records successfully #

The users can then modify their password responding to the same 
question/answer they had with LDAP.
All is working perfectly.

PROBLEM:
I cannot encrypt the answer in LDAP because when I import the users to 
Active Directory, it cannot reads the encrypted answer. I think that AD 
is using another way to encrypt/decypt?
If I don't encrypt the answer, the importation to AD is working 
correctly.

While still using LDAP as Account provider and before I change it to 
Active Directory, I would like to add an additional ACL so nobody can 
read the answer stored in "info".

After googling a lot I found a way to describe the ACL. I hope it is the 
right way.

access to attrs=info
    by self write
    by anonymous auth
    by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write
    by * none

How can I create the content of newacl.ldif file to be able to add that 
ACL to OpenLDAP (ldapmodify  -Y EXTERNAL -H ldapi:/// -f 
/temp/newacl.ldif)

Thank you,

Drukpa

References:
- Adding ACL to an Attribute
  - From: Drukpa Kunley <drukpa@micronator.org>

Prev by Date: Adding ACL to an Attribute
Next by Date: OATH TOTP LDAP schema?
Index(es):
- Chronological
- Thread

RE: *****SPAM***** Adding ACL to an Attribute

RE: SPAM Adding ACL to an Attribute