Bug 39877 - ldap/acl/read/ips does not work
ldap/acl/read/ips does not work
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: LDAP
UCS 4.1
Other Linux
: P5 normal (vote)
: UCS 4.1
Assigned To: Stefan Gohmann
Florian Best
: interim-3
Depends on: 29482
Blocks: 39878
  Show dependency treegraph
 
Reported: 2015-11-11 15:03 CET by Stefan Gohmann
Modified: 2015-12-14 13:03 CET (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Gohmann univentionstaff 2015-11-11 15:03:10 CET
The fix for Bug #29482 seems to break the anonymous read via IP, for example:
 ucr set ldap/acl/read/ips="127.0.0.1"

This results in my test setup to:
-------------------------------------------------------------------
access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid
   by anonymous auth
   by * +0 break
access to *
   by set="user & [cn=Domain Admins,cn=groups,dc=deadlock44,dc=intranet]/uniqueMember*" write
   by users read
   by peername.ip=127.0.0.1 read
-------------------------------------------------------------------

A anonymous search via 127.0.0.1 is not possible. After removing the lines
-------------------------------------------------------------------
access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid
   by anonymous auth
   by * +0 break
-------------------------------------------------------------------
it works again.


+++ This bug was initially created as a clone of Bug #29482 +++

Mit einem Kerberos Ticket als Administrator kann ich auf einem 3.0 / 3.1 System nicht als Administrator am LDAP Operationen durchführen:

Administrator@master411:~$ kinit Administrator
Administrator@DEADLOCK41.LOCAL's Password: 
Administrator@master411:~$ ldapadd -Y GSSAPI -f x
SASL/GSSAPI authentication started
SASL username: Administrator@DEADLOCK41.LOCAL
SASL SSF: 56
SASL data security layer installed.
adding new entry "cn=users2,dc=deadlock41,dc=local"
ldap_add: Insufficient access (50)
        additional info: no write access to parent

Administrator@master411:~$ ldapsearch -Y GSSAPI uid=Administrator -LLL uid userPassword
SASL/GSSAPI authentication started
SASL username: Administrator@DEADLOCK41.LOCAL
SASL SSF: 56
SASL data security layer installed.
dn: uid=Administrator,cn=users,dc=deadlock41,dc=local
uid: Administrator

Administrator@master411:~$
Comment 1 Stefan Gohmann univentionstaff 2015-11-11 15:46:20 CET
I've simply add the configured IPs before the "by anonymous auth" statement.
Comment 2 Florian Best univentionstaff 2015-11-11 17:17:45 CET
DC Master SASL auth without ldap/acl/read/ips: OK
DC Master SASL auth with ldap/acl/read/ips: OK
DC Master read with IP in ldap/acl/read/ips: OK
DC Master read not allowed from IP's not in ldap/acl/read/ips: OK
DC Slave read with IP in ldap/acl/read/ips: OK
DC Slave read not allowed from IP's not in ldap/acl/read/ips: OK
Changelog not required due to interim version.
Comment 3 Stefan Gohmann univentionstaff 2015-11-17 12:12:30 CET
UCS 4.1 has been released:
 https://docs.software-univention.de/release-notes-4.1-0-en.html
 https://docs.software-univention.de/release-notes-4.1-0-de.html

If this error occurs again, please use "Clone This Bug".
Comment 4 Philipp Hahn univentionstaff 2015-12-14 13:03:22 CET
(In reply to Stefan Gohmann from comment #0)
> access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid
>    by anonymous auth
>    by * +0 break
> access to *
>    by set="user & [cn=Domain Admins,cn=groups,dc=deadlock44,dc=intranet]/uniqueMember*" write
>    by users read
>    by peername.ip=127.0.0.1 read

The problem was, that "stop" is the default control value, which stops processing ACLs immediately and thus skips all following ACLs. As the read from 127.0.0.1 is "by anonymous", that later rule was never reached.
Adding a "break" would have allowed slapd to continue using the following ACLs.
It might be a good idea to change that for Bug #34203.