Discussion:
ACL
Carlo Pradissitto
2010-03-19 11:54:05 UTC
Permalink
Hi,
my DIT is some like this:

*dc=<base>*
*|__ dc=<domain_1>*
*| |__ o=<org_1>*
*| | |__cn=user_domain1_1*
*| | |__cn=user_domain1_2*
*| | |__cn=user_domain1_3*
*| |__ o=<org_2>*
*| |__cn=user_domain1_3*
*| |__cn=user_domain1_4*
*| |__cn=user_domain1_5*
*|__ dc=<domain_2>*
* |__ o=<org_3>*
* | |__cn=user_domain2_1*
* | |__cn=user_domain2_2*
* | |__cn=user_domain2_3*
* |__ o=<org_4>*
* |__cn=user_domain2_3*
* |__cn=user_domain2_4*
* |__cn=**user_domain2_5*

I would like to create one administrative account for each domain
(<domain_1> and <domain_2>)

Here is my way:

I create a new branch:

*dc=<base>*
*|__ o=Administrators*
* |__ou=<domain_1>_Administrators*
* |__ cn=Administrator1*

then I insert a new directive in slapd.conf

*access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*

Here the response when I try to connect with <domain_1>Administrators
credentials:

*Error opening connection:*
*[LDAP: error code 49 - Invalid Credentials]*

Here the OpenLDAP's output in debug mode

*daemon: activity on 1 descriptor*
*daemon: activity on: *
*slap_listener_activate(7): *
*daemon: epoll: listen=7 busy *
*>>> slap_listener(ldap://<my_host>:1389)*
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: listen=7, new connection on 11 *
*daemon: added 11r (active) listener=(nil) *
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: activity on 1 descriptor *
*daemon: activity on: 11r *
*daemon: read active on 11 *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000 *
*connection_read(11): checking for input on id=1000*
*ber_get_next *
*ber_get_next: tag 0x30 len 83 contents: *
*op tag 0x60, time 1268990296 *
*ber_get_next*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*conn=1000 op=0 do_bind*
*ber_scanf fmt ({imt) ber:*
*ber_scanf fmt (m}) ber:*
*>>> dnPrettyNormal:
<cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>*
*<<< dnPrettyNormal:
<cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>,
<cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>*
*do_bind: version=3
dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"
method=128*
*bdb_dn2entry("cn=administrator1,ou=**
<domain_1>administrators,o=administrators,dc=<base>")*
*=> bdb_dn2id("dc=<base>")*
*<= bdb_dn2id: got id=0x1*
*=> bdb_dn2id("o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x12*
*=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x13*
*=> bdb_dn2id("cn=administrator1,ou=**
<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x14*
*entry_decode: "cn=Administrator1,ou=**
<domain_1>Administrators,o=Administrators,dc=<base>"*
*<= entry_decode(cn=Administrator1,ou=**
<domain_1>Administrators,o=Administrators,dc=<base>)*
*send_ldap_result: conn=1000 op=0 p=3*
*send_ldap_response: msgid=1 tag=97 err=49*
*ber_flush2: 14 bytes to sd 11*
*daemon: activity on 1 descriptor*
*daemon: activity on: 11r*
*daemon: read active on 11*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000*
*connection_read(11): checking for input on id=1000*
*ber_get_next*
*ber_get_next on fd 11 failed errno=0 (Success)*
*connection_read(11): input error=-2 id=1000, closing.*
*connection_closing: readying conn=1000 sd=11 for close*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_close: conn=1000 sd=11*
*daemon: removing 11*

Same result with this policy:
*access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*

I can access only with this policy:
*access to * by * write*

I compiled opneldap 2.4.21 with default settings

Here my slapd.conf:

*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema*
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema*
*
*
*pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid*
*argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args*
*
*
*#######################################################################*
*# BDB database definitions*
*#######################################################################*
*
*
*database bdb*
*suffix "dc=<base>"*
*rootdn "cn=Manager,dc=<base>"*
*rootpw testdomain*
*directory /sw/test_domain_openldap-2.4.21/var/openldap-data*
*index objectClass eq*
*
*
*access to * by * write*
*#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write*
*#access to dn.subtree="**dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*

thanks in advance!
Carlo
Owen Marshall
2010-03-19 17:25:02 UTC
Permalink
Post by Carlo Pradissitto
access to * by * write
#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write
#access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
With no access stanza, OpenLDAP defaults to:

access to *
by anonymous read
by * none

As soon as you assign an access stanza, this default goes away.

As it stands, you are not giving Administrator1 any permission to bind.
Your access stanza doesn't mention anything under the administrative
section.

At the very least, you will need something like:
access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind

You *will* need to fine-tune this. ;-)

Some decent information on ACLs can be found at
http://www.zytrax.com/books/ldap/ch6/

Also, set debug level 128 to view ACL processing -- this will be
invaluable to you.
--
Owen Marshall
FacilityONE
***@facilityone.com | (502) 805-2126
Carlo Pradissitto
2010-03-22 11:19:13 UTC
Permalink
Hi Owen,
thanks for the explanation!
Now everything woks fine with these options:
access to dn.subtree="o=Administrators,dc=<base>"
by anonymous auth
access to dn.subtree="dc=<domain_1>,dc=<base>"
by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write
access to dn.subtree="dc=<domain_2>,dc=<base>"
by
dn="cn=Administrator1,ou=<domain_2>Administrators,o=Administrators,dc=<base>"
write

Thank you!
Carlo
Post by Carlo Pradissitto
Post by Carlo Pradissitto
access to * by * write
#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write
#access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write
access to *
by anonymous read
by * none
As soon as you assign an access stanza, this default goes away.
As it stands, you are not giving Administrator1 any permission to bind.
Your access stanza doesn't mention anything under the administrative
section.
access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind
You *will* need to fine-tune this. ;-)
Some decent information on ACLs can be found at
http://www.zytrax.com/books/ldap/ch6/
Also, set debug level 128 to view ACL processing -- this will be
invaluable to you.
--
Owen Marshall
FacilityONE
Jonathan Clarke
2010-03-19 18:36:07 UTC
Permalink
Post by Carlo Pradissitto
Hi,
*dc=<base>*
*|__ dc=<domain_1>*
*| |__ o=<org_1>*
*| | |__cn=user_domain1_1*
*| | |__cn=user_domain1_2*
*| | |__cn=user_domain1_3*
*| |__ o=<org_2>*
*| |__cn=user_domain1_3*
*| |__cn=user_domain1_4*
*| |__cn=user_domain1_5*
*|__ dc=<domain_2>*
* |__ o=<org_3>*
* | |__cn=user_domain2_1*
* | |__cn=user_domain2_2*
* | |__cn=user_domain2_3*
* |__ o=<org_4>*
* |__cn=user_domain2_3*
* |__cn=user_domain2_4*
* |__cn=**user_domain2_5*
I would like to create one administrative account for each domain
(<domain_1> and <domain_2>)
*dc=<base>*
*|__ o=Administrators*
* |__ou=<domain_1>_Administrators*
* |__ cn=Administrator1*
then I insert a new directive in slapd.conf
*access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*
Here the response when I try to connect with <domain_1>Administrators
*Error opening connection:*
*[LDAP: error code 49 - Invalid Credentials]*
Here the OpenLDAP's output in debug mode
*daemon: activity on 1 descriptor*
*daemon: activity on: *
*slap_listener_activate(7): *
*daemon: epoll: listen=7 busy *
*>>> slap_listener(ldap://<my_host>:1389)*
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: listen=7, new connection on 11 *
*daemon: added 11r (active) listener=(nil) *
*daemon: activity on 1 descriptor *
*daemon: activity on: *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*daemon: activity on 1 descriptor *
*daemon: activity on: 11r *
*daemon: read active on 11 *
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000 *
*connection_read(11): checking for input on id=1000*
*ber_get_next *
*ber_get_next: tag 0x30 len 83 contents: *
*op tag 0x60, time 1268990296 *
*ber_get_next*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*conn=1000 op=0 do_bind*
*ber_scanf fmt ({imt) ber:*
*ber_scanf fmt (m}) ber:*
<cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>*
<cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>,
<cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>*
*do_bind: version=3
dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"
method=128*
*bdb_dn2entry("cn=administrator1,ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*=> bdb_dn2id("dc=<base>")*
*<= bdb_dn2id: got id=0x1*
*=> bdb_dn2id("o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x12*
*=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x13*
*=>
bdb_dn2id("cn=administrator1,ou=**<domain_1>administrators,o=administrators,dc=<base>")*
*<= bdb_dn2id: got id=0x14*
"cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"*
*<=
entry_decode(cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>)*
*send_ldap_result: conn=1000 op=0 p=3*
*send_ldap_response: msgid=1 tag=97 err=49*
*ber_flush2: 14 bytes to sd 11*
*daemon: activity on 1 descriptor*
*daemon: activity on: 11r*
*daemon: read active on 11*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_get(11): got connid=1000*
*connection_read(11): checking for input on id=1000*
*ber_get_next*
*ber_get_next on fd 11 failed errno=0 (Success)*
*connection_read(11): input error=-2 id=1000, closing.*
*connection_closing: readying conn=1000 sd=11 for close*
*daemon: activity on 1 descriptor*
*daemon: activity on:*
*daemon: epoll: listen=7 active_threads=0 tvp=NULL*
*connection_close: conn=1000 sd=11*
*daemon: removing 11*
*access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*
*access to * by * write*
I compiled opneldap 2.4.21 with default settings
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema*
*include
/sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema*
*
*
*pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid*
*argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args*
*
*
*#######################################################################*
*# BDB database definitions*
*#######################################################################*
*
*
*database bdb*
*suffix "dc=<base>"*
*rootdn "cn=Manager,dc=<base>"*
*rootpw testdomain*
*directory /sw/test_domain_openldap-2.4.21/var/openldap-data*
*index objectClass eq*
*
*
*access to * by * write*
*#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write*
*#access to dn.subtree="**dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>"
write*
thanks in advance!
Carlo
Hi Carlo,

You need to add an ACL to allow the administrator to BIND (authenticate)
Post by Carlo Pradissitto
access to dn.subtree="ou=<domain_1>Administrators,o=Administrators,dc=<base>"
by anonymous auth
access to dn.subtree="dc=<domain_1>,dc=<base>"
by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
--
--------------------------------------------------------------
Jonathan Clarke - ***@phillipoux.net
--------------------------------------------------------------
Ldap Synchronization Connector (LSC) - http://lsc-project.org
--------------------------------------------------------------
Loading...