I'm working on learning & setting up ACLs. My goal is to /not/
have anything set by default, deny all, and step-by-step allow each
required access.
In slapd.conf, I've defined security/ACLs as:
security ssf=256 update_ssf=256 tls=256 update_tls=256
simple_bind=256
...
access to *
by tls_ssf=256 peername.ip=127.0.0.1 break
by tls_ssf=256 peername.ip=10.0.1.0%255.255.255.0 break
access to dn.exact="uid=system,ou=System,dc=domain,dc=com"
attrs=userPassword
by ssf=256 self =x
by * none
access to *
by * none
When I test with:
ldapsearch -LLL -ZZZ -x -W -D
'uid=system,ou=System,dc=domain,dc=com' -H ldap://domain.com:389 -b
"" -s base '(objectclass=*)' +
Enter LDAP Password:
I get:
dn:
supportedSASLMechanisms: GSSAPI
as expected.
In logs I see:
Sep 3 08:33:06 test slapd[5727]: conn=1 fd=11 ACCEPT from
IP=10.0.1.16:37316 (IP=10.0.1.16:389)
Sep 3 08:33:06 test slapd[5727]: conn=1 op=0 EXT
oid=1.3.6.1.4.1.1466.20037
Sep 3 08:33:06 test slapd[5727]: conn=1 op=0 STARTTLS
Sep 3 08:33:06 test slapd[5727]: conn=1 op=0 RESULT oid= err=0
text=
Sep 3 08:33:06 test slapd[5727]: conn=1 fd=11 TLS established
tls_ssf=256 ssf=256
Sep 3 08:33:09 test slapd[5727]: conn=1 op=1 BIND
dn="uid=system,ou=System,dc=domain,dc=com" method=128
Sep 3 08:33:09 test slapd[5727]: => access_allowed: auth access
to "uid=system,ou=System,dc=domain,dc=com" "userPassword" requested
Sep 3 08:33:09 test slapd[5727]: => acl_get: [1] attr userPassword
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: result
not in cache (userPassword)
Sep 3 08:33:09 test slapd[5727]: => acl_mask: access to entry
"uid=system,ou=System,dc=domain,dc=com", attr "userPassword"
requested
Sep 3 08:33:09 test slapd[5727]: => acl_mask: to value by "",
(=0)
Sep 3 08:33:09 test slapd[5727]: <= check a_peername_path:
127.0.0.1
Sep 3 08:33:09 test slapd[5727]: <= check a_peername_path:
10.0.1.0%255.255.255.0
Sep 3 08:33:09 test slapd[5727]: <= check a_authz.sai_tls_ssf:
ACL 256 > OP 256
Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [2] applying +0
(break)
Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [2] mask: =0
Sep 3 08:33:09 test slapd[5727]: => dn: [2]
uid=system,ou=system,dc=domain,dc=com
Sep 3 08:33:09 test slapd[5727]: => acl_get: [2] matched
Sep 3 08:33:09 test slapd[5727]: => acl_get: [2] attr userPassword
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: result
not in cache (userPassword)
Sep 3 08:33:09 test slapd[5727]: => acl_mask: access to entry
"uid=system,ou=System,dc=domain,dc=com", attr "userPassword"
requested
Sep 3 08:33:09 test slapd[5727]: => acl_mask: to value by "",
(=0)
Sep 3 08:33:09 test slapd[5727]: <= check a_dn_pat: anonymous
Sep 3 08:33:09 test slapd[5727]: <= check a_authz.sai_ssf: ACL
256 > OP 256
Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [1] applying =x
(stop)
Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [1] mask: =x
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: auth
access granted by =x
Sep 3 08:33:09 test slapd[5727]: => access_allowed: auth access
granted by =x
Sep 3 08:33:09 test slapd[5727]: conn=1 op=1 BIND
dn="uid=system,ou=System,dc=domain,dc=com" mech=SIMPLE ssf=0
Sep 3 08:33:09 test slapd[5727]: conn=1 op=1 RESULT tag=97 err=0
text=
Sep 3 08:33:09 test slapd[5727]: conn=1 op=2 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Sep 3 08:33:09 test slapd[5727]: conn=1 op=2 SRCH
attr=supportedSASLMechanisms
Sep 3 08:33:09 test slapd[5727]: => access_allowed: search access
to "" "objectClass" requested
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend
default search access granted to
"uid=system,ou=System,dc=domain,dc=com"
Sep 3 08:33:09 test slapd[5727]: => access_allowed: search access
granted by read(=rscxd)
Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access
to "" "entry" requested
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend
default read access granted to
"uid=system,ou=System,dc=domain,dc=com"
Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access
granted by read(=rscxd)
Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access
to "" "supportedSASLMechanisms" requested
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend
default read access granted to
"uid=system,ou=System,dc=domain,dc=com"
Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access
granted by read(=rscxd)
Sep 3 08:33:09 test slapd[5727]: conn=1 op=2 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Sep 3 08:33:09 test slapd[5727]: conn=1 op=3 UNBIND
Sep 3 08:33:09 test slapd[5727]: conn=1 fd=11 closed
As expected, I see the "auth" access greanted per my ACL,
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: auth
access granted by =x
Sep 3 08:33:09 test slapd[5727]: => access_allowed: auth access
granted by =x
But I also see "default" access being granted:
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend
default search access granted to
"uid=system,ou=System,dc=domain,dc=com"
Sep 3 08:33:09 test slapd[5727]: => access_allowed: search access
granted by read(=rscxd)
Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access
to "" "entry" requested
Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend
default read access granted to
"uid=system,ou=System,dc=domain,dc=com"
I'd expect that the "by * none" clauses should prevent default
anything.
>From 'man slapd.access' I learn:
"If no access controls are present, the default policy
allows anyone and everyone to read anything but restricts updates
to rootdn. (e.g., "access to * by * read"). The rootdn can always
read and write EVERYTHING!"
But I clearly have defined access controls.
Why am I seeing any default access granted, and what ACL needs to
be specified to prevent it?
Thanks.
Ric
--
Click here for great computer networking solutions!
http://tagline.hushmail.com/fc/Ioyw6h4fM6mP9SLHp99dANqh2C08pocAnYQkctPkIVUwTC4e7SrQ42/
