Re: ACI to allow group to access one attribute

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> I need to see the aci's on your server to help more. Can you please
> send me (either to the list, or directly to my email) the output of:
> 
> ldapsearch -x -b "your basedn" -D 'cn=Directory Manager' -w -H
> ldaps://<your server> '(aci=*)' aci
> 
> That well help me answer the question as to what is causing this
> attribute to be readable,


William was kind enough to answer me directly.


	> # /usr/lib/mozldap/ldapsearch -D 'cn=Directory Manager' -j
	> /etc/.ldap.secret -b 'dc=global' '(aci=*)' aci
	> version: 1
	> dn: dc=global
	> aci: (targetattr != "userPassword") (version 3.0; acl "Anonymous
	> access"; allo
	>  w (read, search, compare)userdn = "ldap:///anyone";

	See this '!=' in targetattr? This doesn't mean "exclude userPassword
	from searches" it means "take the set of every attribute that exists in
	the server, and allow search on ALL of them EXCEPT userPassword.". This
	aci is a huge security risk because you are disclosing ALL attribute
	states.

	It's better to have a super long list of attributes here that you trust
	to be read. In the next version of Directory Server we fix these
	default attributes to have sane content.

	> aci: (targetattr != "nsroledn||aci")(version 3.0; acl "Allow self
	> entry modifi
	>  cation except for nsroledn and aci attributes"; allow (write)userdn
	> ="ldap:/
	>  //self"

	Again, the same effect here: But this time this allows a user to "self
	write any attribute that exists EXCEPT these two". Which again has huge
	security risks, because now they can self edit objectClass, add a
	container type, child entries .... They can edit the nsadminlimits, or
	more. So again, this needs to be a "targetattr = ...." list of what you
	WANT to allow self write to. 

	> aci: (targetattr = "*")(version 3.0; acl "Configuration
	> Adminstrator"; allow (
	>  all) userdn =
	> "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=N
	>  etscapeRoot"
	> aci: (targetattr ="*")(version 3.0;acl "Configuration Administrators
	> Group";al
	>  low (all) (groupdn = "ldap:///cn=Configuration Administrators,
	> ou=Groups, ou
	>  =TopologyManagement, o=NetscapeRoot")
	> aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow
	> (all)groupdn = "ld
	>  ap:///dc=global"

	These three are probably okay, because you expect these members to be
	able to change everything arbitrarily. 



I would like to note that all those acis where defined by default during installation and initial configuration of 389, I didn't added anything manually.
I understand now that is lot better to have an explicit list of allowed attributes than negative blacklist.
If I get it correctly this is a huge security problem and I've seen lot of ldap servers configured this way.

thanks again for your time, william.


abosch





_______________________________________________
389-users mailing list -- 389-users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to 389-users-leave@xxxxxxxxxxxxxxxxxxxxxxx




[Index of Archives]     [Fedora User Discussion]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora News]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora QA]     [Fedora Triage]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Yosemite Photos]     [Linux Apps]     [Maemo Users]     [Gnome Users]     [KDE Users]     [Fedora Tools]     [Fedora Art]     [Fedora Docs]     [Maemo Users]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Fedora ARM]

  Powered by Linux