[Fedora-directory-users] ACI deny matching with macros
John A. Sullivan III
jsullivan at opensourcedevel.com
Tue Nov 18 04:18:26 UTC 2008
Hello, all. This post is a follow up to an IRC chat with Rich Megginson
and others.
Rich, I did not report the problem as a bug because upon several more
hours of testing, it does not appear to be a conflict between userdn and
roledn permissions. Rather, it appears to be a wildcard globbing issue.
To bring the everyone else up to speed, in a multi-tenant environment,
we have an allow ACI to permit clients to administer their own portion
of the tree. However, their portions of the tree also contain some
system type accounts used to by the host to enable certain client
functions. These should not be viewable by the client admins so there
is an ACI to deny access to these. We also want to use macros to create
a single ACI at the root which will apply to all clients rather than
creating ACIs for each client.
To grant client access, we create a role at the top of their tree named
ldapadmins and assign it to the appropriate client admins. We create a
root level ACI as follows:
(targetattr = "*") (target = "ldap:///($dn),dc=ssiservices, dc=biz")
(version 3.0;acl "Client Administrators";allow (all)(roledn =
"ldap:///cn=ldapadmins,[$dn],dc=ssiservices,dc=biz");)
It works fine. The tree looks something like this:
root
/com
/client1
/Users
/Internal
/Contacts
/SysAccounts
No one would have access to SysAccounts except client ldapadmins from
the above ACI. We don't want that so we create the following ACI to
deny access to SysAccounts:
(targetattr = "*") (target =
"ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl
"Protect sysaccounts";deny (all)(userdn =
"ldap:///uid=*,ou=users,[$dn],dc=ssiservices,dc=biz");)
We had contemplated
(targetattr = "*") (target =
"ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl
"Protect sysaccounts";deny (all)(userdn =
"ldap:///uid=*[$dn],dc=ssiservices,dc=biz");)
but did not want to take the chance that the SysAccounts uses could not
see themselves.
Let's say we have a client admin at
uid=terry,ou=internal,ou=users,dc=client1,dc=com,dc=ssiservices,dc=biz.
The * after uid and with no comma before ou=users should match anything
in users including "uid=terry,ou=internal,". It doesn't. The deny rule
is not applied to Terry.
If I change the ACI to:
(targetattr = "*") (target =
"ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl
"Protect sysaccounts";deny (all)(userdn =
"ldap:///uid=*ou=internal,ou=users,[$dn],dc=ssiservices,dc=biz");)
it still fails. However, if I change it to:
(targetattr = "*") (target =
"ldap:///ou=sysaccounts,($dn),dc=ssiservices,dc=biz") (version 3.0;acl
"Protect sysaccounts";deny (all)(userdn =
"ldap:///uid=*,ou=internal,ou=users,[$dn],dc=ssiservices,dc=biz");)
it works. The deny matches Terry and is enforced. This seems to be an
explicit contradiction of the documentation.
http://www.redhat.com/docs/manuals/dir-server/ag/8.0/Managing_Access_Control-Bind_Rules.html#Bind_Rules-Defining_User_Access___userdn_Keyword
userdn = "ldap:///uid=*,dc=example,dc=com";
The bind rule is evaluated to be true if the user binds to the directory
using any distinguished name of the specified pattern. For example, both
of the following bind DNs would be evaluated to be true:
uid=ssarette,dc=example,dc=com
uid=tjaz,ou=Accounting,dc=example,dc=com
Are we doing something wrong or is this just a mismatch between code and
docs? Thanks - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsullivan at opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
More information about the Fedora-directory-users
mailing list