[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Duda con acl de openldap

Hola, me encuentro trabajando con openldap y samba para lograr un
sistema de autentificación centralizado. El sistema está funcionando,
pero ahora deseo seguritizar el directorio. Para esto, cada aplicación
que ingrese al directorio utilizará un usuario especifico para
leer/escribir ( según corresponda) en el directorio.

Me estoy guiando por el Samba -open Ldap Howto ( el de idealx) y en
este muestran los pasos para crear dichos usuarios especificos para
cada aplicación.
El problema  nace al escribir la siguiente ACL

access to attrs=cn,
sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,
sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,
sambaPwdMustChange,sambaAcctFlags,displayName,sambahomePath,
sambaHomeDrive,
sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,
sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,
sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,
sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,
sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,
sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,
sambaBoolOption,sambaIntegerOption,sambaStringOption,
sambaStringListOption,entry      by
dn="cn=samba,ou=sistema,dc=ejemplo,dc=ejemplo,dc=com" write by self
read
by * none

al intentar hacer ssh con un usuario que se encuentra en el directorio
el sistema arroja

Connection to 192.168.0.1 closed by remote host.
Connection to 192.168.0.1 closed.

el archivo syslog arroja lo siguiente:

---------------------------------------------------------------------------------------------------
Jan 23 21:22:35 experimentos2 slapd[4754]: <= acom_mask: [3] mask: none(=n)
Jan 23 21:22:35 experimentos2 slapd[4754]: => access_allowed: search
access denied by none(=n)
Jan 23 21:37:26 experimentos2 -- MARK --
Jan 23 21:39:01 experimentos2 slapd[4754]: => access_allowed: search
access to "uid=root,ou=personas,dc=ejemplo,dc=ejemplo,dc=com" "uid"
requested
Jan 23 21:39:01 experimentos2 slapd[4754]: <= root access granted
Jan 23 21:39:01 experimentos2 slapd[4754]: => access_allowed: read
access to "uid=root,ou=personas,dc=ejemplo,dc=ejemplo,dc=com" "entry"
requested
Jan 23 21:39:01 experimentos2 slapd[4754]: <= root access granted
Jan 23 21:39:01 experimentos2 slapd[4754]: => access_allowed: read
access to "uid=root,ou=personas,dc=ejemplo,dc=ejemplo,dc=com" "uid"
requested
Jan 23 21:39:01 experimentos2 slapd[4754]: <= root access granted
Jan 23 21:39:01 experimentos2 slapd[4754]: => access_allowed: read
access to "uid=root,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"sambaSID" requested
Jan 23 21:39:01 experimentos2 slapd[4754]: <= root access granted
Jan 23 21:39:01 experimentos2 slapd[4754]: => access_allowed: read
access to "uid=root,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"sambaPrimaryGroupSID" requested
Jan 23 22:41:13 experimentos2 slapd[4987]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"uidNumber" requested
Jan 23 22:41:13 experimentos2 slapd[4987]: <= root access granted
Jan 23 22:41:13 experimentos2 slapd[4987]: => access_allowed: search
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"objectcomass" requested
Jan 23 22:41:13 experimentos2 slapd[4987]: => acom_get: [2] attr objectcomass
Jan 23 22:41:13 experimentos2 slapd[4987]: => acom_mask: access to
entry "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com", attr
"objectcomass" requested
Jan 23 22:41:13 experimentos2 slapd[4987]: => acom_mask: to value by "", (=n)
Jan 23 22:41:13 experimentos2 slapd[4987]: <= check a_dn_pat:
cn=samba,ou=sistema,dc=ejemplo,dc=ejemplo,dc=com
Jan 23 22:41:13 experimentos2 slapd[4987]: <= check a_dn_pat: self
Jan 23 22:41:13 experimentos2 slapd[4987]: <= check a_dn_pat: *
Jan 23 22:41:13 experimentos2 slapd[4987]: <= acom_mask: [3] applying
none(=n) (stop)
Jan 23 22:41:13 experimentos2 slapd[4987]: <= acom_mask: [3] mask: none(=n)
Jan 23 22:41:13 experimentos2 slapd[4987]: => access_allowed: search
access denied by none(=n)
Jan 23 22:41:13 experimentos2 slapd[4987]: => access_allowed: search
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"uidNumber" requested
Jan 23 22:41:13 experimentos2 slapd[4987]: => acom_get: [2] attr uidNumber
Jan 23 22:41:13 experimentos2 slapd[4987]: => acom_mask: access to
entry "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com", attr
"uidNumber" requested
Jan 23 22:41:13 experimentos2 slapd[4987]: => acom_mask: to value by "", (=n)
Jan 23 22:41:13 experimentos2 slapd[4987]: <= check a_dn_pat:
cn=samba,ou=sistema,dc=ejemplo,dc=ejemplo,dc=com
Jan 23 22:41:13 experimentos2 slapd[4987]: <= check a_dn_pat: self
Jan 23 22:41:13 experimentos2 slapd[4987]: <= check a_dn_pat: *
Jan 23 22:41:13 experimentos2 slapd[4987]: <= acom_mask: [3] applying
none(=n) (stop)
Jan 23 22:41:13 experimentos2 slapd[4987]: <= acom_mask: [3] mask: none(=n)
Jan 23 22:41:13 experimentos2 slapd[4987]: => access_allowed: search
access denied by none(=n)

----------------------------------------------------------------------------------------------------


pero al cambiar el último <who ><access> (es decir, * none ) por * read
los usuarios pueden ingresar sin problemas. El log de esto es:

------------------------------------------------------------------------------------------------------
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"homeDirectory" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_get: [2] attr homeDirectory
Jan 23 22:47:38 experimentos2 slapd[5045]: access_allowed: no res from
state (homeDirectory)
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_mask: access to
entry "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com", attr
"homeDirectory" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_mask: to value by "", (=n)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat:
cn=samba,ou=sistema,dc=ejemplo,dc=ejemplo,dc=com
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat: self
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat: *
Jan 23 22:47:38 experimentos2 slapd[5045]: <= acom_mask: [3] applying
read(=rscx) (stop)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= acom_mask: [3] mask: read(=rscx)
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access granted by read(=rscx)
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"objectcomass" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_get: [2] attr objectcomass
Jan 23 22:47:38 experimentos2 slapd[5045]: access_allowed: no res from
state (objectcomass)
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_mask: access to
entry "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com", attr
"objectcomass" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_mask: to value by "", (=n)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat:
cn=samba,ou=sistema,dc=ejemplo,dc=ejemplo,dc=com
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat: self
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat: *
Jan 23 22:47:38 experimentos2 slapd[5045]: <= acom_mask: [3] applying
read(=rscx) (stop)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= acom_mask: [3] mask: read(=rscx)
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access granted by read(=rscx)
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"uidNumber" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_get: [2] attr uidNumber
Jan 23 22:47:38 experimentos2 slapd[5045]: access_allowed: no res from
state (uidNumber)
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_mask: access to
entry "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com", attr
"uidNumber" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: => acom_mask: to value by "", (=n)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat:
cn=samba,ou=sistema,dc=ejemplo,dc=ejemplo,dc=com
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat: self
Jan 23 22:47:38 experimentos2 slapd[5045]: <= check a_dn_pat: *
Jan 23 22:47:38 experimentos2 slapd[5045]: <= acom_mask: [3] applying
read(=rscx) (stop)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= acom_mask: [3] mask: read(=rscx)
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access granted by read(=rscx)
Jan 23 22:47:38 experimentos2 slapd[5045]: <= root access granted
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"loginShell" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: <= root access granted
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"gidNumber" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: <= root access granted
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"homeDirectory" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: <= root access granted
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"objectcomass" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: <= root access granted
Jan 23 22:47:38 experimentos2 slapd[5045]: => access_allowed: read
access to "uid=alumno,ou=personas,dc=ejemplo,dc=ejemplo,dc=com"
"uidNumber" requested
Jan 23 22:47:38 experimentos2 slapd[5045]: <= root access granted
--------------------------------------------------------------------------


El problema es que al permitir que todos lean los atributos de samba,
la seguridad que pretendo establecer no sirve de nada.

Agradesco su ayuda, saludos
Reply to: