Skip to content

OpenLDAP Quick Tips: Testing your Access Control Lists (ACLs)

Posted by Gavin Henry on
OpenLDAPOpen SourceSuretec Hi All,

Here's my 7th tip in the "OpenLDAP Quick Tips" series:

"You want to check your Access Control Lists configured in your directory server":



Previously we covered slaptest and slappasswd, so next is slapacl

Let's take a standard ACL example for protecting access to the userPassword attribute:

CODE:
access to * attrs=userPassword             by self write             by anonymous auth             by * none


We can verify that this does what is expected by using the slapacl tool:

CODE:
[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "uid=ghenry,ou=users,ou=OxObjects,dc=suretecsystems,dc=com" "userPassword/read:" authcDN: "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" read access to userPassword=: ALLOWED


Here we point to our config file, stating that the entry we want to test against is the ghenry user entry and that the user we want to test that has access permissions is the ghenry user. Because we have self write access, we can obviously read that attribute too.

Now if we try to access someone elses password, we get:

CODE:
[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=laura,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "uid=ghenry,ou=users,ou=OxObjects,dc=suretecsystems,dc=com" "userPassword/read:" authcDN: "uid=ghenry,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" read access to userPassword=: DENIED


I'm not allowed to see the laura users password.

Of course, the rootdn user by passes all ACLs, so as expected, they can read the userPassword attribute:

CODE:
[root@suretec ~]# /usr/local/sbin/slapacl -f /usr/local/etc/openldap/slapd.conf -b "uid=laura,ou=users,ou=oxobjects,dc=suretecsystems,dc=com" -D "cn=admin,dc=suretecsystems,dc=com" "userPassword/read:" authcDN: "cn=admin,dc=suretecsystems,dc=com" read access to userPassword=: ALLOWED


This should give you a taster of how to test your ACLs on the command line.

Thanks,

Gavin.

If you have an entry for our "OpenLDAP Quick Tips" series, why not e-mail your tip to us.

P.S. For direct access to this section, you can click OpenLDAP Quick Tips.

Trackbacks

No Trackbacks

Comments

Display comments as Linear | Threaded

Bash on :

*Hi

Your "CODE" block looks all messed up in my browser (Ubuntu 8.10 Firefox 3.0.4)

There are tons of "&#160" and "&#91" sprinkled and one can't make out what the commands/text are.

Thanks

Gavin Henry on :

*Can you send me a screenshot, you're the second person to say this but I can't see it. Is this through Live Bookmarks?

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.
BBCode format allowed
Pavatar, Gravatar, Favatar, MyBlogLog, Pavatar author images supported.
Form options

Warning: Use of undefined constant CHARSET_NATIVE - assumed 'CHARSET_NATIVE' (this will throw an Error in a future version of PHP) in /home/suretecsystems/www/blog/serendipity_config.inc.php on line 182
tweetbackcheck