Bug 43523 – added ldap/acl/read/regex to slapd.conf template

Bug 43523 - added ldap/acl/read/regex to slapd.conf template


Summary:	added ldap/acl/read/regex to slapd.conf template

Status:	CLOSED INVALID

Product:	UCS
Classification:	Unclassified
Component:	LDAP
Version:	UCS 4.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 4.1-4-errata
Assigned To:	Felix Botner
QA Contact:	Arvid Requate

URL:	https://linux.die.net/man/5/slapd.access
Keywords:

Depends on:
Blocks:	43399
	Show dependency tree / graph

Reported:	2017-02-10 15:06 CET by Felix Botner
Modified:	2023-03-25 06:50 CET (History)
CC List:	1 user (show)

See Also:
What kind of report is it?:	---
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Felix Botner

2017-02-10 15:06:20 CET

http://www.openldap.org/doc/admin24/access-control.html

Similar to ldap/acl/read/ips (valid IP address) we need a ldap/acl/read/regex, which allows access to something like 172\.17\.42\..*.

access to dn.subtree="dc=four,dc=test" attrs=entry,uid
   by peername.regex=127\.0\.0\..* read
   by anonymous auth
   by * +0 break
access to *
   by set="user & [cn=Domain Admins,cn=groups,dc=four,dc=test]/uniqueMember*" write
   by users read
   by peername.regex=127\.0\.0\..* read

Comment 1 Florian Best

2017-02-13 10:40:46 CET

I think it would be better to:
* put the value into double quotes (peername.regex="foo")
* value.strip() the value so that "foo, bar" is possible and not only "foo,bar"
* escape/encode the value correctly via value.replace('\', '\\').replace('"', '\"')

Comment 2 Arvid Requate

2017-02-13 17:51:05 CET

Just curious: isn't ldap/acl/read/ips sufficient? Setting

ucr set ldap/acl/read/ips=127.0.0.0%255.255.255.0

on my UCS 4.1 server results in this:
=============================================================================
access to dn.subtree="dc=ar41i1,dc=qa" attrs=entry,uid
   by peername.ip=127.0.0.0%255.255.255.0 read
   by anonymous auth
   by * +0 break
access to *
   by set="user & [cn=Domain Admins,cn=groups,dc=ar41i1,dc=qa]/uniqueMember*" write
   by users read
   by peername.ip=127.0.0.0%255.255.255.0 read
=============================================================================

Comment 3 Felix Botner

2017-02-20 12:07:40 CET

(In reply to Arvid Requate from comment #2)
> Just curious: isn't ldap/acl/read/ips sufficient? Setting
> 
> ucr set ldap/acl/read/ips=127.0.0.0%255.255.255.0
> 
> on my UCS 4.1 server results in this:
> =============================================================================
> access to dn.subtree="dc=ar41i1,dc=qa" attrs=entry,uid
>    by peername.ip=127.0.0.0%255.255.255.0 read
>    by anonymous auth
>    by * +0 break
> access to *
>    by set="user & [cn=Domain
> Admins,cn=groups,dc=ar41i1,dc=qa]/uniqueMember*" write
>    by users read
>    by peername.ip=127.0.0.0%255.255.255.0 read
> =============================================================================

OK, yes that works, 
reverted to peername.regex changes,

Comment 4 Arvid Requate

2018-06-26 12:54:18 CEST

Ok, the description has been improved a bit, but that's fine.


diff --git a/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables b/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables
index 2b5976de71..a9e7edc944 100644
--- a/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables
+++ b/management/univention-ldap/debian/univention-ldap-server.univention-config-registry-variables


 [ldap/acl/read/ips]
-Description[de]=Wenn die LDAP-Suche nur authentifiziert möglich ist (siehe 'ldap/acl/read/anonymous'), können einzelne IP-Adressen über diese Variable für den anonymen Lesezugriff freigeschaltet werden. Mehrere Werte werden durch Komma getrennt.
-Description[en]=If only authenticated LDAP searches are allowed (see 'ldap/acl/read/anonymous'), individual IP addresses can be granted anonymous read permissions via this variable. Multiple values are separated by commas.
+Description[de]=Wenn die LDAP-Suche nur authentifiziert möglich ist (siehe 'ldap/acl/read/anonymous'), können einzelne IP-Adressen über diese Variable für den anonymen Lesezugriff freigeschaltet werden. Mehrere Werte werden durch Komma getrennt (z.B. ldap/acl/read/ips='127.0.0.1,192.168.0.0%255.255.255.0').
+Description[en]=If only authenticated LDAP searches are allowed (see 'ldap/acl/read/anonymous'), individual IP addresses can be granted anonymous read permissions via this variable. Multiple values are separated by commas (e.g. ldap/acl/read/ips='127.0.0.1,192.168.0.0%255.255.255.0').