Linux – OpenLDAP ACLs are not working

fedoralinuxopenldap

First things first, I'm currently working with an OpenLDAP: slapd 2.4.36 on a Fedora release 19 (Schrödinger’s Cat).

I've just install the openldap with yum and my configuration is the following one:

##### OpenLDAP Default configuration #####
#
##### OpenLDAP CORE CONFIGURATION #####
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema

pidfile         /var/lib/ldap/slapd.pid

loglevel trace

##### Default Schema #####

database mdb
directory /var/lib/ldap/
maxsize 1073741824

suffix "dc=domain,dc=tld"
rootdn "cn=root,dc=domain,dc=tld"
rootpw {SSHA}SECRETP@SSWORD


##### Default ACL #####
access to attrs=userpassword
        by self write
        by group.exact="cn=administrators,ou=builtin,ou=groups,dc=domain,dc=tld" write
        by anonymous auth
        by * none

I launch my OpenLDAP service using:

/usr/sbin/slapd -u ldap -h ldapi:/// ldap:/// -f /etc/openldap/slapd.conf

As you can see it's a pretty simple ACL which aim to allow access to the userPassword attribute to a specific group read only, then to the owner read and write to anonymous requiring auth and refuse the access to everyone else.

The problem is: Even using a valid user with correct password my ldapsearch ends with zero informations retrieved from the directory, plus I've got a strange response on the result line.

# search result
search: 2
result: 32 No such object

# numResponses: 1

here is the ldapsearch request:

ldapsearch -H ldap.domain.tld -W -b dc=domain,dc=tld -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld

I did not specify any filter as I want to check that ldapsearch is correctly printing only allowed attribute.

@SvW here is what I've put on my slapd.conf according to your exemple and OpenLDAP Documentation:

I edited my slapd.conf with the following ACLs rules eliminating group.exact for easier debug:

access to *
    by self read
    by anonymous auth
    by * none

access to attrs=userpassword
    by self write
    by anonymous auth
    by * none

but once again, I'm facing the

32 No Such object error

when I'm trying the following ldapsearches:

 ldapsearch -W -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld -b dc=domain,dc=tld userpassword=*

or without filter:

 ldapsearch -W -s sub -D cn=user,ou=service,ou=employees,ou=users,dc=domain,dc=tld -b dc=domain,dc=tld

Best Answer

To test, try to add

access to * by * read

after the first ACL entry.

This should still restrict the userpassword but explicitly allow you to read all other fields (I believe OpenLDAP adds implicitly to * by * none otherwise, see section 8.3.4 of the documentation).

Edit:

Does it restrict the password field? This is not very clear from your comment. If not, remember @Janne's answer and check if the spelling for userPassword is correct. If it is working, you'll have to start from there to add restrictions. The following is untested, but should work (it might be too restrictive though).

access to * 
    by self read 
    by group.exact="cn=administrators,ou=builtin,ou=groups,dc=domain,dc=tld" write
    by * none

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

pam_ldap shouldn't be attempting to read the userPassword value to log you in -- It logs you in by doing an LDAP bind with the DN that it retrieves.

It's possible the search parameters pam_ldap uses are over-broad & it tries to pull userPassword as a result, but if your ACL is set up correctly (looks fine to me) it won't get that value in its results.

Just in case your ACLs aren't fine (I've been known to miss stupidly obvious stuff before), here's the working ACL list from my production LDAP environment :)

# Access and Security Restrictions
# (Most restrictive entries first)
access to attrs=userPassword
    by self write
    by dn.sub="ou=sync,dc=mydomain,dc=com" read
    by anonymous auth
by users none

access to * by * read

The trailing access to * by * read is important, I didn't see it in your examples so I'm not sure if it's missing or just omitted from your snippet.

The sync line is for my LDAP synchronization service and isn't necessary if you're not doing replication...

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Since you are having issues with eDirectory, you are quite lucky, since you can use DSTrace with the LDAP option on to see what is going on, from the eDirectory server view.

Once you know what is being asked, and what the server is responding you can effectively troubleshoot the issue.

Basic eDirectory schema is complaint with LDAP and any standard LDAP schema should work for the most part. To get some specific features you might need some additional support, but that does not sound like your issue.

If you have access to the 10.10.1.27 box, try and look at it via http://10.10.1.27:8008 (or possibly port 8010, or 8028 depending if you are running eDirectory on Netware, Windows or a Unix variant respectively). This should redirect you to an https:// connection one port number higher (8009, 8010, or 8030 (ya 2 not 1)). Look for iMonitor or Dstrace, and then clear all the other flags, and enable the LDAP flag. Then the Dstrace Live icon will refresh on each click with the latest transactions.

Now as to your issue of:

there's almost no hierarchy. (I can set a base DN and view a particular object... but if I set the real base DN... I can only see it... and no children.)

I would suspect this issue is more about not doing the right kind of query. Sounds like you are doing Entry not Subtree queries. This will be very obvious in Dstrace, as you will see a query event that looks something like:

10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Search request:
base: "ou=people,o=acme,dc=com"
scope:2 dereference:3 sizelimit:1 timelimit:0 attrsonly:0
filter: "(&(objectClass=inetorgperson)(acme7DigitName=gxc1234))"
no attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Empty attribute list implies all user attributes
10:19:01 B68BEBA0 LDAP: (10.1.1.42:55133)(0x0002:0x63) Sending search result entry "cn=gxc1234,ou=UNK,ou=People,o=acme,dc=com" to connection 0xa07e6c0

There the scope: 2 tells you it is an entry search. You want to see it do a subtree (0) level search in order to get what you are looking for.

You can read more about how I used this sort of tooling to debug the nonsense that SAP's GRC web interface does for LDAP data retrieval.

Best Answer

Related Solutions

Ldap – Securing userPassword access with OpenLDAP in RHEL

Ldap – Using OpenLDAP to proxy to an Novell eDirectory LDAP Server

Related Topic