Re: [edlug] LDAP. An ACL nightmare.

[Ronald MacDonald <ronald@xxx.xxx.xxx>]

On 25/02/2010 14:38, Gavin Henry wrote:
> Hi,

> You can test all this with slapacl:
>
>              /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -v \
>                     -U bjorn -b "o=University of Michigan,c=US" \
>                  "o/read:University of Michigan"

Wow. I can't even think how I've been trying to figure out from the log 
files what was going on without the use of slapacl. What a great tool! 
Unfortunately on a couple of occasions I had to restart the LDAP server 
while running this - I know I probably shouldn't run it on a running 
server but thankfully it was pretty much all right.

> > However, in this configuration
> >       * An authenticated "postmaster" e.g.
> > cn=postmaster,jvd=domain.com,o=mailsrv,dc=rmacd,dc=com cannot edit
> > their own or their users' entries
> >       * An authenticated user cannot edit their own entries
> Because you've told slapd that everyone has read access.
Aha. Now I see.

> Does the dovecot user always bind to search?
Apparently it doesn't and that's where I've been going partly wrong.

> Think of walking along a line of people with someone following you:
> 1. The person following you knows all information in your directory server and is a translator. The line of people are the rules, but they don't speak english.
> 2. The first person that wants to talk (i.e. you've matched their rule to chat) tells the person following you what you are allowed to hear or do. You then both carry on.
> 3. The next person that talks to you (i.e. another match be it by * or directly), does the same, but if they've already been told they can share all the information, then you can't change that (i.e. a write). If they've been told to forget something or something you can change, you get told that. If the condition is "break", you get kicked out of the line and the person following you shares everything they know.
>
> You'd use break if doing replication and the replication user always has a rule first so
> they rest don't get evaluated.
>
> That's a pretty crap analogy, but I've done my best :-)

Well it seems to make enough sense for me to have got the problem fixed.

Many thanks Gavin, you certainly managed to put me straight :-)

After lots of umming and erring (more erring than umming) here's the 
(current) "solution" that seems to be working good for me for anyone on 
the list that's interested:


## Password controls
access to dn.regex=".*,jvd=([^,]+),o=mailsrv,dc=rmacd,dc=com" 
attrs=userPassword
        by 
group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=mailsrv,dc=rmacd,dc=com" 
write
        by self write
        by dn="cn=dovecot,dc=rmacd,dc=com" read
        by * auth

## Now general controls
access to dn.regex=".*,jvd=([^,]+),o=mailsrv,dc=rmacd,dc=com"
        by 
group/jammPostmaster/roleOccupant.expand="cn=postmaster,jvd=$1,o=mailsrv,dc=rmacd,dc=com" 
write
        by self write break
        by * read

## Postfix doesn't want to search without the following
## (Tried access to dn.subtree="o=mailsrv,dc=rmacd,dc=com"
## but it just bailed out)
access to dn.subtree="dc=rmacd,dc=com"
        by self write
        by * read

## Etc.
access to dn.base=""
    by * read
    by anonymous read

access to dn.base="cn=Subschema"
        by * read

access to *
        by self write
        by users read


Best wishes,
Ronald.

--
Ronald MacDonald : ronald@xxx.xxx.xxx
http://www.rmacd.com/ +44-777-235-1655
4 1f1 Gillespie Cresc, Edinburgh.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature