[Systems] LDAP access rights

[Bernie Innocenti]

On Fri, 2010-09-10 at 12:39 +0200, Sascha Silbe wrote:
> Hi!
> 
> For my work on an OpenID provider with public key authentication
> support, I would like to give users the permission to modify an
> attribute (tls-public-key) of their LDAP entry themselves.
> 
> I couldn't find any ACL [1] in our configuration. This means I need to
> generate a new ACL that matches the old, implied one first (so I can
> expand it to allow modifying tls-public-key).

ACLs are obfuscated by the crap ldif format, but they are right there
in /etc/ldap/slapd.d/cn=config/olcDatabase\=\{1\}hdb.ldif

 olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by self write by * none
 olcAccess: {1}to dn.base="" by * read by anonymous read
 olcAccess: {2}to * by dn="cn=admin,dc=sugarlabs,dc=org" manage by sockname="PATH=/var/lib/ldap_root/ldapi" manage by * read by anonymous read

The above roughly means:

0) the password stuff can be managed by the admin dn, by anyone who
   connects through the ldapi local socket (only root can access it)
   and by yourself. Anyone else can't.

1) anyone, including unauthenticated users, can browse our ldap
   database from its root

2) the admin dn and root can manage anything, others can only read


>[...]
> Is that right? If so, why can our password changer web frontend [2]
> change the password by binding to the user?

The web frontend binds as the user, so it uses the "by self write"
rule. 

BTW: the passwd command doesn't seem to be smart enough to modify ldap
passwords. Theoretically, it should be done through pam, but I could
never get it to work (at least until 3 years ago).

-- 
   // Bernie Innocenti - http://codewiz.org/
 \X/  Sugar Labs       - http://sugarlabs.org/