Univention Bugzilla – Bug 29482
Berechtigungen via GSSAPI
Last modified: 2018-04-21 08:03:11 CEST
Mit einem Kerberos Ticket als Administrator kann ich auf einem 3.0 / 3.1 System nicht als Administrator am LDAP Operationen durchführen: Administrator@master411:~$ kinit Administrator Administrator@DEADLOCK41.LOCAL's Password: Administrator@master411:~$ ldapadd -Y GSSAPI -f x SASL/GSSAPI authentication started SASL username: Administrator@DEADLOCK41.LOCAL SASL SSF: 56 SASL data security layer installed. adding new entry "cn=users2,dc=deadlock41,dc=local" ldap_add: Insufficient access (50) additional info: no write access to parent Administrator@master411:~$ ldapsearch -Y GSSAPI uid=Administrator -LLL uid userPassword SASL/GSSAPI authentication started SASL username: Administrator@DEADLOCK41.LOCAL SASL SSF: 56 SASL data security layer installed. dn: uid=Administrator,cn=users,dc=deadlock41,dc=local uid: Administrator Administrator@master411:~$
This was broken by disabling anonymous bind: # man slapd.conf > Note that this search is subject to access controls. Specifically, the > authentication identity must have "auth" access in the subject. # man slapd.access > Some internal operations and some controls require specific access > privileges. The authzID mapping and the proxyAuthz control require auth (=x) > privileges on all the attributes that are present in the search filter of the > URI regexp maps (the right-hand side of the authz-regexp directives). Auth > (=x) privileges are also required on the authzTo attribute of the authorizing > identity and/or on the authzFrom attribute of the authorized identity. In > general, when an internal lookup is performed for authentication or autho‐ > rization purposes, search-specific privileges (see the access requirements > for the search operation illus‐ trated above) are relaxed to auth. # kinit Administrator # ldapwhoami 2>/dev/null dn:uid=administrator,cn=gssapi,cn=auth # sed -i 's/sasl-regexp/authz-regexp/' /etc/univention/templates/files/etc/ldap/slapd.conf.d/60univention-ldap-server_acl-master # echo " by anonymous auth" >>/etc/univention/templates/files/etc/ldap/slapd.conf.d/70univention-ldap-server_acl-master-end # ucr commit /etc/ldap/slapd.conf # /etc/init.d/slapd restart # ldapwhoami 2>/dev/null dn:uid=administrator,cn=users,dc=phahn,dc=dev # ldapadd -Y GSSAPI <<__LDIF__ > dn: ou=test,dc=phahn,dc=dev > objectClass: organizationalUnit > ou: test > __LDIF__ adding new entry "ou=test,dc=phahn,dc=dev" Also see Bug #20051 comment 5
Created attachment 5534 [details] Fix GSSAPI for slapd
It would be nice to restrict the "auth" access to something like »by dn.subtree="cn=gssapi,cn=auth" auth«, but it doesn't seem to work in my tests. It always fails for (with "loglevel acl" enabled): => acl_mask: access to entry "dc=phahn,dc=dev", attr "entry" requested Alternativle the following rule should be added right before "access to *": access to dn.subtree="dc=phahn,dc=dev" attr=entry,uid by anonymous auth For quick testing: # /etc/init.d/slapd stop # echo "URI ldap://localhost:7390" >~/ldaprc # /usr/sbin/slapd -h ldap://:7390/ -d acl & pid=$! ; sleep 1 ; ldapwhoami ; kill $pid ; wait
Created attachment 7127 [details] patch Here is a new patch. I could not add an entry with slapadd like in comment #0 so I don't apply this patch now (It seems to still work everything).
This is required for SAML authentication to work, too.
univention-ldap (12.1.1-1): r63371 | Bug #29482: fix permissions for SASL bind via kerberos (GSSAPI) and SAML
From https://tools.ietf.org/html/rfc2255 I assume that you should URL-encode the LDAP-URLs, e.g. to encode base DNs containing spaces.
(In reply to Arvid Requate from comment #7) > From https://tools.ietf.org/html/rfc2255 I assume that you should URL-encode > the LDAP-URLs, e.g. to encode base DNs containing spaces. ldap_base is not properly encoded in *any* of the /etc/univention/templates/files/etc/ldap/slapd.conf.d/* files, so currently you're doomed if you want to use LDAP-URL special characters. AFAIK a new bug should be filed to fix that mess, but don't misuse this bug.
(In reply to Philipp Hahn from comment #8) > (In reply to Arvid Requate from comment #7) > > From https://tools.ietf.org/html/rfc2255 I assume that you should URL-encode > > the LDAP-URLs, e.g. to encode base DNs containing spaces. > > ldap_base is not properly encoded in *any* of the > /etc/univention/templates/files/etc/ldap/slapd.conf.d/* files, so currently > you're doomed if you want to use LDAP-URL special characters. > AFAIK a new bug should be filed to fix that mess, but don't misuse this bug. → Bug #39345
Ok works. The "by * +0 break" is nice. Not very intuitive though ;-) Changelog is ok too.
UCS 4.1 has been released: https://docs.software-univention.de/release-notes-4.1-0-en.html https://docs.software-univention.de/release-notes-4.1-0-de.html If this error occurs again, please use "Clone This Bug".