Access Control Policy and SSF:
In an effort to provide some level of control to the OpenLDAP Server, access control policy (ACP) can be implemented using the “access to” directive. This article will not focus as an instructive tutorial on access control or ssf (security strength factor) within OpenLDAP, but rather a brief insight into the author’s immediate needs to provide an initial level of directory security using the access control mechanisms.
The key to implementing an access control policy is to start with the very basic configuration and then add to it incrementally. As “access to” directives are added, testing each policy change becomes extremely important to ensure the desired results are achieved. A simple access to configuration to start with:
access to * by self write by anonymous auth by users read
This directive allows the user to modify their entry, allows anonymous to authentication against these entries, and allows authenticated users to read these entries. This is offered as a starting point as well as a place to fall back in case additions to your ACP become undeterminable.
- Allow access to base and subschema for identification and capability
- Allow read access to the entire DIT for limited uses or clients
- Limit access to attribute userPassword
- Limit access to other attributes by type of users
- Define access to rest of DIT base on users identity
# Access Control Policies (ACP) # The ACP below provides incoming connections with the ability to read # the rootDSE. This is important, as clients may need to obtain information # from the base level. It also allows anyone to read the Subschema DSE. access to dn.base="" by * read access to dn.base="cn=Subschema" by * read # This ACP is used to allow non-ssl and no ssf security read access for this ip address. # The ip address and associated ACP is for the Avaya IP Office LDAP Integration. # The 'break' command continues processing ACP when the condition is not met. access to dn.exact="ou=People,dc=loga,dc=us" by peername.ip=192.168.0.180%255.255.255.255 read by * break # This ACP allows non tls_ssf security strength access to the attribute "userPassword" # for the peername.ip address for 'auth' only. Allow write access for the roleOccupant, # authentication purposes only, write access to the attribute "userPassword" by self, # to the SysMgmt Group, and to self. It allows anonymous to authenicate against these # entries. All other access is denied. All actions, except by peername.ip, require tls_ssf=256 # security strength. access to attrs=userPassword by peername.ip=192.168.0.180%255.255.255.255 none by group/organizationalRole/roleOccupant="cn=Manager,dc=loga,dc=us" tls_ssf=256 write by set="[cn=SysMgmtGrp,ou=Groups,dc=loga,dc=us]/memberUid & user/uid" tls_ssf=256 write by self tls_ssf=256 write by anonymous tls_ssf=256 auth by peername.ip=192.168.0.0%255.255.255.0 tls+ssf=256 auth by * none # The next ACP allows access to the attributes gidNumber, homeDirectory, loginShell, uidNumber # and uid to SysMgmt Group, and all clients within the peer name ip address range # to authenticate against these entries. Non tls_ssf security strength by the peername.ip address # 192.168.0.180. All other access is denied. All actions, except by peename.ip address, require # tls_ssf=256 security strength. access to attrs=gidNumber,homeDirectory,loginShell,uidNumber,uid by peername.ip=192.168.0.180%255.255.255.255 read by group/organizationalRole/roleOccupant="cn=Manager,dc=loga,dc=us" tls_ssf=256 write by set="[cn=SysMgmtGrp,ou=Groups,dc=loga,dc=us]/memberUid & user/uid" tls_ssf=256 write by peername.ip=192.168.0.180%255.255.255.0 tls_ssf=256 read by * none # The last ACP allows Avaya IP Office (192.168.0.180) read access. Write access is reserved # for roleOccupant, SysMgmtGrp, and self. Authenticated users have read access. # All clients within the peername ip address range read access - For Macintosh OS X # LAN Clients to login to OpenLDAP Server. All actions require tls_ssf=256 security # strength unless noted otherwise. access to * by peername.ip=192.168.0.180%255.255.255.255 read by group/organizationalRole/roleOccupant="cn=Manager,dc=loga,dc=us" tls_ssf=256 write by set="[cn=SysMgmtGrp,ou=Groups,dc=loga,dc=us]/memberUid & user/uid" tls_ssf=256 write by self tls_ssf=256 write by users tls_ssf=256 read by peername.ip=192.168.0.180%255.255.255.0 tls_ssf=256 read by * none
Note: In a Multi-Master Environment, configure each server’s ACP.
With a little patience, experimentation and testing, one can deploy an access control policy for OpenLDAP to accommodate specific security or corporate policy concerns. As mentioned earlier, understanding the order of processing of access control policies and testing are key to a successful implementation.