Bug 436979 - ACI fails to match authmethod="ssl" on a TLS encrypted bind/search
ACI fails to match authmethod="ssl" on a TLS encrypted bind/search
Status: CLOSED NOTABUG
Product: Red Hat Directory Server
Classification: Red Hat
Component: Security - Access Control (ACL) (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
http://www.redhat.com/docs/manuals/di...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-11 10:22 EDT by Chris Evich
Modified: 2015-01-04 18:31 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-11 10:48:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Evich 2008-03-11 10:22:40 EDT
Description of problem:
If I put an ACI on the top of my tree for "anyone", it doesn't allow access when
a client connects using TLS and the ACI specifies authmethod="ssl" as documented
in the admin. guide, section 6.4.9. 

Version-Release number of selected component (if applicable):
RHDS 8.0

How reproducible:
Very.

Steps to Reproduce:
1. Setup SSL on server as per documentation using a self-signed CA to sign the
server's CSRs
2. Setup SSL on client and provide copy of CA cert.  Use ldapsearch -x -ZZ ...
to confirm connection is encrypted. e.g. 
[11/Mar/2008:14:57:52 -0400] conn=1415 op=0 EXT oid="1.3.6.1.4.1.1466.20037"
name="startTLS"

[11/Mar/2008:14:57:52 -0400] conn=1415 op=0 RESULT err=0 tag=120 nentries=0 etime=0

[11/Mar/2008:14:57:52 -0400] conn=1415 SSL 256-bit AES
3. Setup ACI like the following on the root node, try using same ldapsearch with
and without the 'and authmethod="ssl"' component.

Actual results:
The search returns nothing with ssl part and returns everything without it.

Expected results:
The search should return everything in both cases.

Additional info:

(targetattr = "*")
(
 version 3.0; 
 acl "test";
 allow (read,compare,search)(userdn = "ldap:///anyone" and authmethod="ssl");
)
Comment 1 Rich Megginson 2008-03-11 10:48:51 EDT
I guess the documentation is not clear.  The authmethod keyword is for
authentication method e.g. what credentials and what mechanism did the user
present to authenticate to the directory.  "ssl" means that the user provided a
user certificate (or smart card, or some other pki device) to authenticate to
the directory.

Unfortunately, there is no way, using access control, to specify that the
connection must have a certain level of protection.  For example, with openldap,
you can say ssf=56 meaning the connection must have SSF level 56 or higher to
connect (e.g. TLS/SSL or SASL using DES).

Note You need to log in before you can comment on or make changes to this bug.