Univention Bugzilla – Bug 39877
ldap/acl/read/ips does not work
Last modified: 2015-12-14 13:03:22 CET
The fix for Bug #29482 seems to break the anonymous read via IP, for example: ucr set ldap/acl/read/ips="127.0.0.1" This results in my test setup to: ------------------------------------------------------------------- access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid by anonymous auth by * +0 break access to * by set="user & [cn=Domain Admins,cn=groups,dc=deadlock44,dc=intranet]/uniqueMember*" write by users read by peername.ip=127.0.0.1 read ------------------------------------------------------------------- A anonymous search via 127.0.0.1 is not possible. After removing the lines ------------------------------------------------------------------- access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid by anonymous auth by * +0 break ------------------------------------------------------------------- it works again. +++ This bug was initially created as a clone of Bug #29482 +++ Mit einem Kerberos Ticket als Administrator kann ich auf einem 3.0 / 3.1 System nicht als Administrator am LDAP Operationen durchführen: Administrator@master411:~$ kinit Administrator Administrator@DEADLOCK41.LOCAL's Password: Administrator@master411:~$ ldapadd -Y GSSAPI -f x SASL/GSSAPI authentication started SASL username: Administrator@DEADLOCK41.LOCAL SASL SSF: 56 SASL data security layer installed. adding new entry "cn=users2,dc=deadlock41,dc=local" ldap_add: Insufficient access (50) additional info: no write access to parent Administrator@master411:~$ ldapsearch -Y GSSAPI uid=Administrator -LLL uid userPassword SASL/GSSAPI authentication started SASL username: Administrator@DEADLOCK41.LOCAL SASL SSF: 56 SASL data security layer installed. dn: uid=Administrator,cn=users,dc=deadlock41,dc=local uid: Administrator Administrator@master411:~$
I've simply add the configured IPs before the "by anonymous auth" statement.
DC Master SASL auth without ldap/acl/read/ips: OK DC Master SASL auth with ldap/acl/read/ips: OK DC Master read with IP in ldap/acl/read/ips: OK DC Master read not allowed from IP's not in ldap/acl/read/ips: OK DC Slave read with IP in ldap/acl/read/ips: OK DC Slave read not allowed from IP's not in ldap/acl/read/ips: OK Changelog not required due to interim version.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".
(In reply to Stefan Gohmann from comment #0) > access to dn.subtree="dc=deadlock44,dc=intranet" attrs=entry,uid > by anonymous auth > by * +0 break > access to * > by set="user & [cn=Domain Admins,cn=groups,dc=deadlock44,dc=intranet]/uniqueMember*" write > by users read > by peername.ip=127.0.0.1 read The problem was, that "stop" is the default control value, which stops processing ACLs immediately and thus skips all following ACLs. As the read from 127.0.0.1 is "by anonymous", that later rule was never reached. Adding a "break" would have allowed slapd to continue using the following ACLs. It might be a good idea to change that for Bug #34203.