Skip to content

OpenLDAP Quick Tips: Testing your Access Control Lists (ACLs)

OpenLDAPOpen SourceSuretec Hi All,

Here's my 7th tip in the "OpenLDAP Quick Tips" series:

"You want to check your Access Control Lists configured in your directory server":

Previously we covered slaptest and slappasswd, so next is slapacl

Let's take a standard ACL example for protecting access to the userPassword attribute:

access to * attrs=userPassword             by self write             by anonymous auth             by * none

We can verify that this does what is expected by using the slapacl tool:

[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "uid=ghenry,ou=users,ou=OxObjects,dc=suretecsystems,dc=com" "userPassword/read:" authcDN: "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" read access to userPassword=: ALLOWED

Here we point to our config file, stating that the entry we want to test against is the ghenry user entry and that the user we want to test that has access permissions is the ghenry user. Because we have self write access, we can obviously read that attribute too.

Now if we try to access someone elses password, we get:

[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=laura,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "uid=ghenry,ou=users,ou=OxObjects,dc=suretecsystems,dc=com" "userPassword/read:" authcDN: "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" read access to userPassword=: DENIED

I'm not allowed to see the laura users password.

Of course, the rootdn user by passes all ACLs, so as expected, they can read the userPassword attribute:

[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=laura,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "cn=admin,dc=suretecsystems,dc=com" "userPassword/read:" authcDN: "cn=admin,dc=suretecsystems,dc=com" read access to userPassword=: ALLOWED

This should give you a taster of how to test your ACLs on the command line.



If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.


No Trackbacks


Display comments as Linear | Threaded

Bash on :


Your "CODE" block looks all messed up in my browser (Ubuntu 8.10 Firefox 3.0.4)

There are tons of "&#160" and "&#91" sprinkled and one can't make out what the commands/text are.


Gavin Henry on :

*Can you send me a screenshot, you're the second person to say this but I can't see it. Is this through Live Bookmarks?

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Pavatar, Gravatar, Favatar, MyBlogLog, Pavatar author images supported.
Form options

Warning: Use of undefined constant CHARSET_NATIVE - assumed 'CHARSET_NATIVE' (this will throw an Error in a future version of PHP) in /home/suretecsystems/www/blog/ on line 182