3

I have a multiple DITs in my OpenLDAP server. I made user cn=config the root so that cn=config has root access to all DITs (each DIT). In addition, there is a per-DIT administrator IDed as cn=admin,$suffix [for example cn=admin,dc=example,dc=com or whatever].

I added a custom NAME attribute to admin and user objects. The attribute is named: 'serviceLevel' and values are either 'suspended' or 'normal'. The attribute is optional, and when it is not present, we interpret it as normal - not suspended.

Currently, when serviceLevel is set to 'suspended' my ACL suspends regular users and does not suspend local/DIT admins. I need admins to be unable to authenticate, like regular users.

The sample current LDIF setting ACLs is below:

dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
  filter=(serviceLevel=suspended)
  by dn="cn=config" write
  by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
  filter=(!(serviceLevel=suspended))
  by self write
  by anonymous auth
  by dn="cn=admin,dc=directory,dc=com" write
  by dn="cn=config" write
  by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
  filter=(serviceLevel=suspended)
  by dn="cn=config" write
  by * none
olcAccess: {4}to *
  filter=(!(serviceLevel=suspended))
  by self write
  by dn="cn=admin,dc=directory,dc=com" write
  by dn="cn=config" write
  by * read

Please advise if you have an idea why domain admins slip through my ACL. I apparently don't understand how to properly set these rules.

Moshe Shmukler
  • 207
  • 1
  • 9

1 Answers1

2

I believe you are taking a more complicated approach than necessary. To disable a DIT disable its corresponding database. This can be accomplished by setting olcHidden: TRUE.

olcHidden: TRUE | FALSE
Controls whether the database will be used to answer queries. A database that is hidden will never be selected to answer any queries, and any suffix configured on the database will be ignored in checks for conflicts with other databases. By default, olcHidden is FALSE.

ldapmodify <<EOF
dn: olcDatabase={2}hdb,cn=config
replace: olcHidden
olcHidden: TRUE
EOF

Addtional Note:

Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.

As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the clauses. --OpenLDAP Software 2.4 Administrator's Guide

Community
  • 1
84104
  • 13,181
  • 6
  • 49
  • 80