Re: Some bind DNs sporadically can't search users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote:

>>> Are groups involved in the acis and do these groups during these runs ?
>> Yes, most of our ACIs use groups to determine access.  I'm not sure I understand the second part of your question though.
> you can't, it was incomplete. I wanted to know if these groups are modified during the runs when you see the failure.
>>  I do suspect this has something to do with access control though as it's behaving exactly like the user is denied by the ACIs.

No, groups were not modified.  They are relatively small as we're still migrating to this environment--maybe 10-15 DNs per group and they're only modified when we add/remove privileged accounts which isn't very often.

>>> Could you post your acis ?
>> Probably.  I'm working on permission to do so.

The compromise I came to with my management and security team is to obfuscate the ACIs such that the attribute counts and structure are intact but the names are changed.  Is the below useful?

# Employee LDAP Access Control
#
dn: dc=domain,dc=org
changetype: modify
replace: aci
#
aci: (target = "ldap:///ou=employees,dc=domain,dc=org";)
 (targetattr = "userpassword")
 (version 3.0; acl "limited user self write";
 allow (write) userdn = "ldap:///self";;)
#
aci: (target = "ldap:///dc=domain,dc=org"; )
 (targetfilter = "(|(objectclass=orgAssociate)(objectclass=orgEmployee)(objectclass=domain)
 (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))")
 (targetattr = "attr1 || attr2 || ... || attr40")
 (version 3.0; acl "general access, replaces anonymous access"; 
 allow (read, search, compare) 
 (userdn = "ldap:///self";) or 
 (groupdn = "ldap:///cn=orgGroup1,ou=groups,dc=domain,dc=org";) or
 (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org";) or
 (groupdn = "ldap:///cn=orgGroup3,ou=groups,dc=domain,dc=org";) or
 (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or 
 (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
 ;)
#
aci: (target = "ldap:///dc=domain,dc=org"; )
 (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain)
 (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))")
 (targetattr = "attr1 || attr2 || ... || attr40 ")
 (version 3.0; acl "general access, replaces anonymous access"; 
 allow (read, search, compare) 
 (userdn = "ldap:///self";) or 
 (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org";) or
 (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org";) or
 (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or 
 (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
 ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
 (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain)
 (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=orgServiceAccount)(objectclass=orgOrgAccount))")
 (targetattr = "attr1 || attr2 || ... || attr40")
 (version 3.0; acl "general access plus service and organizational accounts"; 
 allow (read, search, compare) 
 (userdn = "ldap:///self";) or 
 (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org";) or
 (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or 
 (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
 ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)(targetattr = "attr1 ||
 attr2 || ... || attr30")
 (version 3.0; acl "limited read access to non-public attributes for delegated admins"; 
 allow (read, search, compare)
 (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or 
 (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
 ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
 (targetattr = "attr1 || attr2 || ... || attr28")
 (version 3.0; acl "limited write access for delegated admins"; 
 allow (write) groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
 (targetattr = "*")(version 3.0; acl "full access for delegated admins"; 
 allow (all) groupdn = "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
 (targetfilter="(memberof=cn=orgGroup6,ou=Groups,dc=domain,dc=org)")
 (targetattr="userpassword")
 (version 3.0; acl "deny non-admin user write access to admin users' passwords";
 deny (all) groupdn != "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";
 ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
 (targetattr = "attr1 || attr2 || ... || attr19")
 (version 3.0; acl "access to posixaccount attributes for proxyagent";
 allow (read,search,compare) userdn = "ldap:///uid=binddn1,ou=svc_accts,dc=domain,dc=org";;)

thanks,

-morgan

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux