[Systems] LDAP access rights
Bernie Innocenti
bernie at codewiz.org
Fri Sep 10 16:17:59 EDT 2010
On Fri, 2010-09-10 at 12:39 +0200, Sascha Silbe wrote:
> Hi!
>
> For my work on an OpenID provider with public key authentication
> support, I would like to give users the permission to modify an
> attribute (tls-public-key) of their LDAP entry themselves.
>
> I couldn't find any ACL [1] in our configuration. This means I need to
> generate a new ACL that matches the old, implied one first (so I can
> expand it to allow modifying tls-public-key).
ACLs are obfuscated by the crap ldif format, but they are right there
in /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif
olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self write by * none
olcAccess: {1}to dn.base="" by * read by anonymous read
olcAccess: {2}to * by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by * read by anonymous read
The above roughly means:
0) the password stuff can be managed by the admin dn, by anyone who
connects through the ldapi local socket (only root can access it)
and by yourself. Anyone else can't.
1) anyone, including unauthenticated users, can browse our ldap
database from its root
2) the admin dn and root can manage anything, others can only read
>[...]
> Is that right? If so, why can our password changer web frontend [2]
> change the password by binding to the user?
The web frontend binds as the user, so it uses the "by self write"
rule.
BTW: the passwd command doesn't seem to be smart enough to modify ldap
passwords. Theoretically, it should be done through pam, but I could
never get it to work (at least until 3 years ago).
--
// Bernie Innocenti - http://codewiz.org/
\X/ Sugar Labs - http://sugarlabs.org/
More information about the Systems
mailing list