[389-users] Some bind DNs sporadically can't search users

Ludwig Krispenz lkrispen at redhat.com
Thu Mar 6 16:32:21 UTC 2014 

On 03/04/2014 11:10 PM, Morgan Jones wrote:
>
>
> On Mar 4, 2014, at 3:20 AM, Ludwig Krispenz <lkrispen at redhat.com> wrote:
>
>>>> Are groups involved in the acis and do these groups during these runs ?
>>> Yes, most of our ACIs use groups to determine access.  I'm not sure I understand the second part of your question though.
>> you can't, it was incomplete. I wanted to know if these groups are modified during the runs when you see the failure.
>>>   I do suspect this has something to do with access control though as it's behaving exactly like the user is denied by the ACIs.
> No, groups were not modified.  They are relatively small as we're still migrating to this environment--maybe 10-15 DNs per group and they're only modified when we add/remove privileged accounts which isn't very often.
>
>>>> Could you post your acis ?
>>> Probably.  I'm working on permission to do so.
> The compromise I came to with my management and security team is to obfuscate the ACIs such that the attribute counts and structure are intact but the names are changed.  Is the below useful?
yes, but II can't see anything wrong with the acis.

One more question. Do the searches always match only one entry or one 
they should see and some they shouldn't ?
>
> # Employee LDAP Access Control
> #
> dn: dc=domain,dc=org
> changetype: modify
> replace: aci
> #
> aci: (target = "ldap:///ou=employees,dc=domain,dc=org")
>   (targetattr = "userpassword")
>   (version 3.0; acl "limited user self write";
>   allow (write) userdn = "ldap:///self";)
> #
> aci: (target = "ldap:///dc=domain,dc=org" )
>   (targetfilter = "(|(objectclass=orgAssociate)(objectclass=orgEmployee)(objectclass=domain)
>   (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))")
>   (targetattr = "attr1 || attr2 || ... || attr40")
>   (version 3.0; acl "general access, replaces anonymous access";
>   allow (read, search, compare)
>   (userdn = "ldap:///self") or
>   (groupdn = "ldap:///cn=orgGroup1,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup3,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org")
>   ;)
> #
> aci: (target = "ldap:///dc=domain,dc=org" )
>   (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain)
>   (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=groupofuniquenames))")
>   (targetattr = "attr1 || attr2 || ... || attr40 ")
>   (version 3.0; acl "general access, replaces anonymous access";
>   allow (read, search, compare)
>   (userdn = "ldap:///self") or
>   (groupdn = "ldap:///cn=orgGroup2,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org")
>   ;)
> #
> aci: (target = "ldap:///dc=domain,dc=org")
>   (targetfilter = "(|(objectclass=orgExternalEmployee)(objectclass=domain)
>   (objectclass=organizationalunit)(objectclass=groupofnames)(objectclass=orgServiceAccount)(objectclass=orgOrgAccount))")
>   (targetattr = "attr1 || attr2 || ... || attr40")
>   (version 3.0; acl "general access plus service and organizational accounts";
>   allow (read, search, compare)
>   (userdn = "ldap:///self") or
>   (groupdn = "ldap:///cn=OrgGroup3,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org")
>   ;)
> #
> aci: (target = "ldap:///dc=domain,dc=org")(targetattr = "attr1 ||
>   attr2 || ... || attr30")
>   (version 3.0; acl "limited read access to non-public attributes for delegated admins";
>   allow (read, search, compare)
>   (groupdn = "ldap:///cn=orgGroup4,ou=groups,dc=domain,dc=org") or
>   (groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org")
>   ;)
> #
> aci: (target = "ldap:///dc=domain,dc=org")
>   (targetattr = "attr1 || attr2 || ... || attr28")
>   (version 3.0; acl "limited write access for delegated admins";
>   allow (write) groupdn = "ldap:///cn=orgGroup5,ou=groups,dc=domain,dc=org";)
> #
> aci: (target = "ldap:///dc=domain,dc=org")
>   (targetattr = "*")(version 3.0; acl "full access for delegated admins";
>   allow (all) groupdn = "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org";)
> #
> aci: (target = "ldap:///dc=domain,dc=org")
>   (targetfilter="(memberof=cn=orgGroup6,ou=Groups,dc=domain,dc=org)")
>   (targetattr="userpassword")
>   (version 3.0; acl "deny non-admin user write access to admin users' passwords";
>   deny (all) groupdn != "ldap:///cn=orgGroup6,ou=groups,dc=domain,dc=org"
>   ;)
> #
> aci: (target = "ldap:///dc=domain,dc=org")
>   (targetattr = "attr1 || attr2 || ... || attr19")
>   (version 3.0; acl "access to posixaccount attributes for proxyagent";
>   allow (read,search,compare) userdn = "ldap:///uid=binddn1,ou=svc_accts,dc=domain,dc=org";)
>
> thanks,
>
> -morgan
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list