README was woefully out of date. tinyldap has had write supports for
years now. ACL now gives some information about the default behavior and how matching works.
This commit is contained in:
leitner
65
ACL
65
ACL
@@ -1,3 +1,5 @@
|
||||
1. What ACLs look like
|
||||
|
||||
ACLs are:
|
||||
|
||||
acl subject object attributes access;
|
||||
@@ -15,11 +17,68 @@ Example:
|
||||
|
||||
acl (dn=cn=root,o=fefe,c=de) (objectClass=*) * +rwdR
|
||||
|
||||
r read
|
||||
w write
|
||||
a add
|
||||
d delete
|
||||
R rename DN
|
||||
|
||||
The default is: Anonymous user can read all, write none.
|
||||
The first useful ACL is therefore:
|
||||
|
||||
acl * * userPassword -r;
|
||||
|
||||
Authenticating against a DN is always allowed. The above ACL prohibits
|
||||
getting the (hopefully encrypted) userPassword field content via LDAP.
|
||||
|
||||
|
||||
ACLs can have some redundancy in them, so we want to find filter strings
|
||||
in ACLs that are the same, and then only evaluate them once. So we need
|
||||
to write the ACLs to disk like this:
|
||||
|
||||
2. How they are evaluated
|
||||
|
||||
ACLs are matched in the order they are given.
|
||||
The first matching ACL wins.
|
||||
|
||||
|
||||
|
||||
3. How to apply them
|
||||
|
||||
Put the ACLs in a text file, for example "acls".
|
||||
Use parse to convert your ldif into a "data" file, then use addindex to
|
||||
add indices as usual, then run acl on the new data file. For example,
|
||||
here is a Makefile example:
|
||||
|
||||
data: ldif
|
||||
$(TINYLDAP)/parse ldif data.new
|
||||
$(TINYLDAP)/addindex data.new dn hu
|
||||
$(TINYLDAP)/addindex data.new danke if
|
||||
$(TINYLDAP)/addindex data.new ts f
|
||||
$(TINYLDAP)/acl data.new
|
||||
chmod a+r data.new
|
||||
mv -f data.new data
|
||||
|
||||
Note how the new data file is only moved over the old one after all
|
||||
other operations went through without errors.
|
||||
|
||||
|
||||
|
||||
4. Where is the code?
|
||||
|
||||
The code to read ACLs in text format, parse them, and put them into the
|
||||
binary form understood by tinyldap is in acl.c.
|
||||
|
||||
The code that applies the ACLs in tinyldap is in the function called
|
||||
"checkacls" in tinyldap.c.
|
||||
|
||||
|
||||
5. Implementation notes
|
||||
|
||||
ACL filters share the syntax of search filters.
|
||||
However, because the ACL syntax is limited we expect filters to be used
|
||||
more than ones. That's why acl.c will deduplicate filters and tinyldap
|
||||
will make sure to only match a filter once, even if it is referenced in
|
||||
multiple ACLs.
|
||||
|
||||
The on disk format looks like this:
|
||||
|
||||
first the filters:
|
||||
|
||||
|
||||
21
README
21
README
@@ -6,9 +6,9 @@ This will be encapsulated some more eventually.
|
||||
ldapclient is the client test application. It connects to localhost,
|
||||
makes a BindRequest and dumps the BindResponse in human readable form.
|
||||
|
||||
tinyldap is the server test application. It can understand BindRequest,
|
||||
some simple forms of SearchRequest, and it can even answer simple
|
||||
queries.
|
||||
tinyldap is the server test application. It understands BindRequest,
|
||||
SearchRequest, ModifyRequest, AddRequest, and DelRequest. It does not
|
||||
yet support ModifyDNRequest.
|
||||
|
||||
tinyldap now supports an external database representation with indexes.
|
||||
Use "parse" to create the file "data" from an LDIF file called
|
||||
@@ -32,13 +32,11 @@ parse will now normalize dn before writing it to the index. That means
|
||||
that the attribute names in dn are lowercased, ';' is converted to ','
|
||||
and spaces after ';' or ',' are removed.
|
||||
|
||||
tinyldap support authentication. It does not have any real effect yet,
|
||||
as tinyldap does not support ACLs, but it can be used to use LDAP for
|
||||
password checking. To use this, you must add an index for "dn". Most
|
||||
programs check by an attribute called "uid", so you should have that as
|
||||
well, and put the password into an attribute called "userPassword". By
|
||||
convention, the attribute "homeDirectory" contains $HOME for that user.
|
||||
tinyldap support three kinds of passwords here:
|
||||
tinyldap supports authentication. To use this, you must add an index
|
||||
for "dn". Most programs check by an attribute called "uid", so you
|
||||
should have that as well, and put the password into an attribute called
|
||||
"userPassword". By convention, the attribute "homeDirectory" contains
|
||||
$HOME for that user. tinyldap support three kinds of passwords here:
|
||||
|
||||
- straight MD5
|
||||
I think I took this scheme from OpenLDAP. It's just the straight
|
||||
@@ -48,6 +46,9 @@ tinyldap support three kinds of passwords here:
|
||||
You can use "md5password" (part of the tinyldap distribution) to
|
||||
calculate these passwords.
|
||||
|
||||
NOTE: MD5 is insecure and this method uses no salt. If you have a
|
||||
choice, never use it!
|
||||
|
||||
- crypt(3)
|
||||
This means you can simply copy the password from /etc/shadow.
|
||||
If your libc supports MD5 passwords in crypt (diet libc does, glibc
|
||||
|
||||
Reference in New Issue
Block a user