Re: Some bind DNs sporadically can't search users

Ludwig Krispenz <lkrispen@xxxxxxxxxx> · Thu, 06 Mar 2014 17:51:50 +0100

On 03/06/2014 05:42 PM, Morgan Jones wrote:
On Mar 6, 2014, at 11:32 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote:

On 03/04/2014 11:10 PM, Morgan Jones wrote:

On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz <lkrispen@xxxxxxxxxx> wrote:

Are groups involved in the acis and do these groups during these runs ?
Yes, most of our ACIs use groups to determine access.  I'm not sure I understand the second part of your question though.
you can't, it was incomplete. I wanted to know if these groups are modified during the runs when you see the failure.
  I do suspect this has something to do with access control though as it's behaving exactly like the user is denied by the ACIs.
No, groups were not modified.  They are relatively small as we're still migrating to this environment--maybe 10-15 DNs per group and they're only modified when we add/remove privileged accounts which isn't very often.

Could you post your acis ?
Probably.  I'm working on permission to do so.
The compromise I came to with my management and security team is to obfuscate the ACIs such that the attribute counts and structure are intact but the names are changed.  Is the below useful?
yes, but II can't see anything wrong with the acis.
Thanks for your input on the ACIs.

One more question. Do the searches always match only one entry or one they should see and some they shouldn't ?
In every case where we've seen this problem it's a search for one entry (uid=username) that the bind dn is able to see.
what i was thinking of is a scenario where there is a cn=user1 in two 
subtrees, the bound user should only see one. I remember a case where 
the deny for the one entry was cached and the other entry was not returned

Thanks for your input, we're working on repeating it reliably in 389.
That would be great

# Employee LDAP Access Control
#
dn: dc=domain,dc=org
changetype: modify
replace: aci
#
aci: (target = "ldap:///ou=employees,dc=domain,dc=org";)
  (targetattr = "userpassword")
  (version 3.0; acl "limited user self write";
  allow (write) userdn = "ldap:///self";;)
#
aci: (target = "ldap:///dc=domain,dc=org"; )
  (targetfilter = "(|(objectclass=orgAssociate)(objectclass=orgEmployee)(objectclass=domain)
  (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))")
  (targetattr = "attr1 || attr2 || ... || attr40")
  (version 3.0; acl "general access, replaces anonymous access";
  allow (read, search, compare)
  (userdn = "ldap:///self";) or
  (groupdn = "ldap:///cn=orgGroup1,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup3,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
  ;)
#
aci: (target = "ldap:///dc=domain,dc=org"; )
  (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain)
  (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))")
  (targetattr = "attr1 || attr2 || ... || attr40 ")
  (version 3.0; acl "general access, replaces anonymous access";
  allow (read, search, compare)
  (userdn = "ldap:///self";) or
  (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
  ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
  (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain)
  (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=orgServiceAccount)(objectclass=orgOrgAccount))")
  (targetattr = "attr1 || attr2 || ... || attr40")
  (version 3.0; acl "general access plus service and organizational accounts";
  allow (read, search, compare)
  (userdn = "ldap:///self";) or
  (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
  ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)(targetattr = "attr1 ||
  attr2 || ... || attr30")
  (version 3.0; acl "limited read access to non-public attributes for delegated admins";
  allow (read, search, compare)
  (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org";) or
  (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
  ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
  (targetattr = "attr1 || attr2 || ... || attr28")
  (version 3.0; acl "limited write access for delegated admins";
  allow (write) groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
  (targetattr = "*")(version 3.0; acl "full access for delegated admins";
  allow (all) groupdn = "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
  (targetfilter="(memberof=cn=orgGroup6,ou=Groups,dc=domain,dc=org)")
  (targetattr="userpassword")
  (version 3.0; acl "deny non-admin user write access to admin users' passwords";
  deny (all) groupdn != "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";
  ;)
#
aci: (target = "ldap:///dc=domain,dc=org";)
  (targetattr = "attr1 || attr2 || ... || attr19")
  (version 3.0; acl "access to posixaccount attributes for proxyagent";
  allow (read,search,compare) userdn = "ldap:///uid=binddn1,ou=svc_accts,dc=domain,dc=org";;)

thanks,

-morgan

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users
--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users

--
389 users mailing list
389-users@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/389-users