TremoloSecurity / MyVirtualDirectory

Open Source LDAP Virtual Directory
Apache License 2.0
45 stars 18 forks source link

ACI & vmemberof #22

Open Patrock opened 7 years ago

Patrock commented 7 years ago

@mlbiam i just added ACIs to my setup and always get this error, when searching for memberof-attribute:

Message ID : 13 SearchRequest baseDn : 'dc=XXX' filter : '(cn=XXX)' scope : whole subtree typesOnly : false Size Limit : 1000 Time Limit : no limit Deref Aliases : deref Always attributes : 'memberof', 'objectClass' org.apache.directory.api.ldap.model.message.SearchRequestImpl@4455821d: Insufficient Access Rights: org.apache.directory.api.ldap.model.exception.LdapNoPermissionException: Insufficient Access Rights at net.sourceforge.myvd.inserts.accessControl.AccessMgmt.checkPermisions(AccessMgmt.java:89) at net.sourceforge.myvd.inserts.accessControl.AccessMgmt.checkFilter(AccessMgmt.java:247) at net.sourceforge.myvd.inserts.accessControl.AccessMgmt.checkFilter(AccessMgmt.java:255) at net.sourceforge.myvd.inserts.accessControl.AccessMgmt.search(AccessMgmt.java:166) at net.sourceforge.myvd.chain.SearchInterceptorChain.nextSearch(SearchInterceptorChain.java:57) at net.sourceforge.myvd.inserts.mapping.VirtualMemberOf.postSearchEntry(VirtualMemberOf.java:331) at net.sourceforge.myvd.chain.PostSearchEntryInterceptorChain.nextPostSearchEntry(PostSearchEntryInterceptorChain.java:65) at net.sourceforge.myvd.inserts.accessControl.AccessMgmt.postSearchEntry(AccessMgmt.java:199) at net.sourceforge.myvd.chain.PostSearchEntryInterceptorChain.nextPostSearchEntry(PostSearchEntryInterceptorChain.java:65) at net.sourceforge.myvd.types.Results.nextEntry(Results.java:202) at net.sourceforge.myvd.types.Results.hasMore(Results.java:123) at net.sourceforge.myvd.types.Results.finishSet(Results.java:156) at net.sourceforge.myvd.types.Results.hasMore(Results.java:120) at net.sourceforge.myvd.types.Results.start(Results.java:105) at net.sourceforge.myvd.server.apacheds.MyVDInterceptor.search(MyVDInterceptor.java:782) at org.apache.directory.server.core.DefaultOperationManager.search(DefaultOperationManager.java:1345) at org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1113) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.doSimpleSearch(SearchRequestHandler.java:827) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleIgnoringReferrals(SearchRequestHandler.java:1179) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handleWithReferrals(SearchRequestHandler.java:1273) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:223) at org.apache.directory.server.ldap.handlers.request.SearchRequestHandler.handle(SearchRequestHandler.java:93) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:207) at org.apache.directory.server.ldap.handlers.LdapRequestHandler.handleMessage(LdapRequestHandler.java:56) at org.apache.mina.handler.demux.DemuxingIoHandler.messageReceived(DemuxingIoHandler.java:221) at org.apache.directory.server.ldap.LdapProtocolHandler.messageReceived(LdapProtocolHandler.java:217) at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:854) at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:542) at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:48) at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:943) at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:74) at org.apache.mina.core.session.IoEvent.run(IoEvent.java:63) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.runTask(UnorderedThreadPoolExecutor.java:475) at org.apache.mina.filter.executor.UnorderedThreadPoolExecutor$Worker.run(UnorderedThreadPoolExecutor.java:429) at java.lang.Thread.run(Thread.java:745)

My Setup now:

server.globalChain=ACL

server.globalChain.ACL.className=net.sourceforge.myvd.inserts.accessControl.AccessMgmt server.globalChain.ACL.config.numACIs=9 server.globalChain.ACL.config.aci.0=dc=XXX#subtree#deny:v,a,d#[entry]#public: server.globalChain.ACL.config.aci.1=dc=XXX#subtree#grant:a,d,v#[entry]#dn:cn=admin server.globalChain.ACL.config.aci.2=dc=XXX#subtree#grant:r,w,s,o,p,c#[all]#dn:cn=admin server.globalChain.ACL.config.aci.3=dc=XXX#subtree#grant:v#[entry]#dn:cn=user server.globalChain.ACL.config.aci.4=dc=XXX#subtree#grant:r,s,p,c#[all]#dn:cn=user server.globalChain.ACL.config.aci.5=CN=ROOTDSE#entry#grant:v#[entry]#public: server.globalChain.ACL.config.aci.6=CN=ROOTDSE#entry#grant:r,w,s,c,p#[all]#public: server.globalChain.ACL.config.aci.7=cn=schema#entry#grant:v#[entry]#public: server.globalChain.ACL.config.aci.8=cn=schema#entry#grant:r,w,s,c,p#[all]#public:

server.nameSpaces=root,dcroot,INTERNAL,CIT,Schema ...

server.dcroot.chain=rootObject ...

server.Schema.chain=LDAPSchema ...

server.INTERNAL.chain=vmemberof,embeddedgroups,dnmapper,LDAP_INTERNAL ...

server.CIT.chain=vmemberof,uuid2text,dnmapper,objmap,membertrans,LDAP_CIT ...

(with tis setup (local vmemberof) i don't get problems with my RootDSE as described earlier)

Thanks

Patrick

mlbiam commented 7 years ago

@Patrock two things:

  1. What user are you binding as?
  2. The ACIs are referencing just the RDN, it needs to be the full DN
Patrock commented 7 years ago

@mlbiam i have created a user in INTERNAL directory, this user i have added to the ACI (with full dn, i just omitted it but now see that this is confusiing ;)

admin-user: cn=myvd.admin,ou=users,dc=internal norma user(readonly): myvd.reader,ou=users,dc=internal