Openldap and Multi-Master Replication in FreeBSD – Part VII: Access Control Policy and SSF

openldap logo

Access Control Policy and SSF:

In an effort to provide some level of control to the OpenLDAP Server, access control policy (ACP) can be implemented using the “access to” directive.  This article will not focus as an instructive tutorial on access control or ssf (security strength factor) within OpenLDAP, but rather a brief insight into the author’s immediate needs to provide an initial level of directory security using the access control mechanisms.

 

Getting Started:

The key to implementing an access control policy is to start with the very basic configuration and then add to it incrementally.  As “access to” directives are added, testing each policy change becomes extremely important to ensure the desired results are achieved.  A simple access to configuration to start with:

access to *
        by self write
        by anonymous auth
        by users read

This directive allows the user to modify their entry, allows anonymous to authentication against these entries, and allows authenticated users to read these entries.  This is offered as a starting point as well as a place to fall back in case additions to your ACP  become undeterminable.

 

Goals:

  • Allow access to base and subschema for identification and capability
  • Allow read access to the entire DIT for limited uses or clients
  • Limit access to attribute userPassword
  • Limit access to other attributes by type of users
  • Define access to rest of DIT base on users identity

 

Slapd.conf Entries:

# Access Control Policies (ACP)
# The ACP below provides incoming connections with the ability to read
# the rootDSE. This is important, as clients may need to obtain information
# from the base level. It also allows anyone to read the Subschema DSE.

access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read

# This ACP is used to allow non-ssl and no ssf security read access for this ip address.
# The ip address and associated ACP is for the Avaya IP Office LDAP Integration.
# The 'break' command continues processing ACP when the condition is not met.

access to dn.exact="ou=People,dc=loga,dc=us"
 by peername.ip=192.168.0.180%255.255.255.255 read
 by * break

# This ACP allows non tls_ssf security strength access to the attribute "userPassword"
# for the peername.ip address for 'auth' only. Allow write access for the roleOccupant,
# authentication purposes only, write access to the attribute "userPassword" by self,
# to the SysMgmt Group, and to self. It allows anonymous to authenicate against these
# entries. All other access is denied. All actions, except by peername.ip, require tls_ssf=256
# security strength.

access to attrs=userPassword
 by peername.ip=192.168.0.180%255.255.255.255 none
 by group/organizationalRole/roleOccupant="cn=Manager,dc=loga,dc=us" tls_ssf=256 write
 by set="[cn=SysMgmtGrp,ou=Groups,dc=loga,dc=us]/memberUid & user/uid" tls_ssf=256 write
 by self tls_ssf=256 write
 by anonymous tls_ssf=256 auth
 by peername.ip=192.168.0.0%255.255.255.0 tls+ssf=256 auth
 by * none

# The next ACP allows access to the attributes gidNumber, homeDirectory, loginShell, uidNumber
# and uid to SysMgmt Group, and all clients within the peer name ip address range
# to authenticate against these entries. Non tls_ssf security strength by the peername.ip address
# 192.168.0.180. All other access is denied. All actions, except by peename.ip address, require
# tls_ssf=256 security strength.

access to attrs=gidNumber,homeDirectory,loginShell,uidNumber,uid
 by peername.ip=192.168.0.180%255.255.255.255 read
 by group/organizationalRole/roleOccupant="cn=Manager,dc=loga,dc=us" tls_ssf=256 write
 by set="[cn=SysMgmtGrp,ou=Groups,dc=loga,dc=us]/memberUid & user/uid" tls_ssf=256 write
 by peername.ip=192.168.0.180%255.255.255.0 tls_ssf=256 read
 by * none

# The last ACP allows Avaya IP Office (192.168.0.180) read access. Write access is reserved
# for roleOccupant, SysMgmtGrp, and self. Authenticated users have read access.
# All clients within the peername ip address range read access - For Macintosh OS X
# LAN Clients to login to OpenLDAP Server. All actions require tls_ssf=256 security
# strength unless noted otherwise.

access to *
 by peername.ip=192.168.0.180%255.255.255.255 read
 by group/organizationalRole/roleOccupant="cn=Manager,dc=loga,dc=us" tls_ssf=256 write
 by set="[cn=SysMgmtGrp,ou=Groups,dc=loga,dc=us]/memberUid & user/uid" tls_ssf=256 write
 by self tls_ssf=256 write
 by users tls_ssf=256 read
 by peername.ip=192.168.0.180%255.255.255.0 tls_ssf=256 read
 by * none

Note:  In a Multi-Master Environment, configure each server’s ACP.

 

Summary:

With a little patience, experimentation and testing, one can deploy an access control policy for OpenLDAP to accommodate specific security or corporate policy concerns.  As mentioned earlier, understanding the order of processing of access control policies and testing are key to a successful implementation.

 

Additional Resources:

http://www.openldap.org

http://www.zytrax.com

man slapd.conf

One thought on “Openldap and Multi-Master Replication in FreeBSD – Part VII: Access Control Policy and SSF”

Leave a Reply

Your email address will not be published. Required fields are marked *