OpenLDAP Access Control

SteveG in North Van — Tue, 23 Feb 2021 01:12:40 +0000

Determining the current Access Control Rules

I had some fun trying to figure out Access Control using the osixia/docker-openldap docker image. The image uses the dynamic configuration model rather than the slapd.conf file. This is a more flexible way of changing config without having to restart the server. The configuration is stored in the cn=config dn. It is edited using ldapmodify or ldapadd.

The problem I had was that I couldn’t find the dn cn=config. It didn’t show up in ldapsearch or using Apache Directory Studio. After searching around on Google, I eventually found the article Howto set access control lists ACLs in OpenLDAP on the Unix and Linux Stack Exchange. This article was very helpful in showing how to access the ACL permissions in OpenLDAP.

What I didn’t understand was that I needed to use the ldapi protocol and the EXTERNAL SASL authentication to access the configuration DN. This can only be done on the server itself.

Since this is a Docker image, I needed to open a shell on the running container to access the configuration.

docker exec -it ldap-server_openldap_1 /bin/bash

This provides access to a shell in the docker container itself. From there, I needed to run ldapsearch specifying the SASL External protocol and the appropriate search dn.

ldapsearch -Y external -H ldapi:/// -b cn=config -o ldif-wrap=no 'olcDatabase={1}mdb' olcAccess

The parameter -Y external specifies using the external SASL protocol. This uses Unix-domain sockets to authenticate using the UID and GID of the client process. See Section 15.2.4. EXTERNAL in the OpenLDAP Administrators Guide for more information.

The parameter -H ldapi:/// specifies using the LDAP over IPC protocol starting at the root of the LDAP structure.

The parameter -b cn=config specifies the starting point for search.

The parameter -o ldif-wrap=no causes ldapsearch to not try to wrap text. I find wrapped text to be very annoying.

The 'olcDatabase={1}mdb' parameter specifies a filter that constrains the output to just entries where the olcDatabase attribute has the value {1}mdb. The mdb portion of this attribute value indicates the database format, so it could be hdb if the backend database is Berkley DB. See Section 11.1. Berkeley DB Backends in the OpenLDAP Administrator’s Guide.

Finally, the olcAccess parameter specifies that only the olcAccess attribute should be returned.

Building an LDAP Server with Docker

SteveG in North Van — Mon, 22 Feb 2021 22:59:22 +0000

To start exploring identity management, I need to have an identity store to start with. I have been exploring the capabilities of Docker and so I want to experiment with standing up a light-weight LDAP server using Docker as the platform.

I chose to use the osixia/docker-openldap docker image. This stands up a basic Open LDAP service with only the admin user defined. The root dn is sdgallagher.ca based on my personal domain.

The source code for this is steveg0493/docker-ldap.

Idem

OpenLDAP Access Control

Determining the current Access Control Rules

Building an LDAP Server with Docker