Home / server / Questions / 316838
In Process
plaetzchen
Asked: 2011-09-30 06:19:52 +0800 CST

LDAP ACLs with ldapmodify & .ldif file grand user access only

  • 772

I want to change the settings my new LDAP server let only users of the server read entries and not anonymous. Currently my olcAccess looks like this:

olcAccess: {0} to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1} to * by self write by dn="cn=admin,dc=example,dc=com" write by * read

I tried to change it like so:

olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
olcAccess: {1} to * by self write by dn="cn=admin,dc=exampme,dc=com" write by users read

But that gives me no access at all. Can someone help me on this?

thanks

UPDATE: This is the log read after the changes mentioned by userxxx

Sep 30 10:47:21 j16354 slapd[11805]: conn=1437 fd=28 ACCEPT from IP=87.149.169.6:64121     (IP=0.0.0.0:389)
Sep 30 10:47:21 j16354 slapd[11805]: conn=1437 op=0 do_bind: invalid dn (pbrechler)
Sep 30 10:47:21 j16354 slapd[11805]: conn=1437 op=0 RESULT tag=97 err=34 text=invalid DN
Sep 30 10:47:21 j16354 slapd[11805]: conn=1437 op=1 UNBIND
Sep 30 10:47:21 j16354 slapd[11805]: conn=1437 fd=28 closed
Sep 30 10:47:21 j16354 slapd[11805]: conn=1438 fd=28 ACCEPT from IP=87.149.169.6:64122     (IP=0.0.0.0:389)
Sep 30 10:47:21 j16354 slapd[11805]: conn=1438 op=0 do_bind: invalid dn (pbrechler)
Sep 30 10:47:21 j16354 slapd[11805]: conn=1438 op=0 RESULT tag=97 err=34 text=invalid DN
Sep 30 10:47:21 j16354 slapd[11805]: conn=1438 op=1 UNBIND
Sep 30 10:47:21 j16354 slapd[11805]: conn=1438 fd=28 closed

pbrechler should be a valid user but has no system user (we don't need it) admin does't work also

  1. List item
openldap access-control-list

2 Answers

  1. olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="cn=admin,dc=example,dc=com" write by * none
    olcAccess: {1}to attrs=uid,uidNumber,gidNumber by dn="cn=admin,dc=example,dc=com" write by * read
    olcAccess: {2}to * by self write by dn="cn=admin,dc=example,dc=com" write by users read by anonymous auth

    olc{1} ... by * read might instead be by * auth depends on config of pam_ldap and how/if client machines (rather than users) authenticate themselves.

    Edit as response:

    Valid dns look like uid=username,ou=users,dc=sub,dc=domain,dc=tld.
    username is not a valid dn syntax and never has been.
    olcAccess cannot change this.
    (SASL/olcAuthzRegexp can do all kinds of interesting things, however not enough detail was provided to know if system uses SASL at all.)

    If this machine only uses ldap to talk to itself you can limit it to localhost (or sockets, aka ldapi, if your client software supports it). dn naming rules still apply.

    Also, if dn="cn=admin,dc=example,dc=com" is defined as your rootdn for a database there is no need to list it in that database's olcAccess. A dn always has write access to all attrs in a database for which it is rootdn.

    • 1

  2. Try this:

    access to attrs=userPassword,shadowLastChange 
    by self write 
    by anonymous auth 
    by dn="cn=admin,dc=example,dc=com" write 
    by users read
    by * none
access to * 
    by self write 
    by dn="cn=admin,dc=example,dc=com" write 
    by * read

    But you may consider 2 security risks: the first is access to attrs=userPassword,shadowLastChange by users read means that the users can read the shadow password and use tools to crack. The second is access to * by self write, so, the users can change uidNumber and/or gidNumber to becomes root.

    Therefore, I suggest the following ACL:

    access to attrs=userPassword,shadowLastChange 
    by self write 
    by anonymous auth 
    by dn="cn=admin,dc=example,dc=com" write 
    by users none
access to * 
    by dn="cn=admin,dc=example,dc=com" write 
    by * read
    • 0