20121009 opendj default access controls - plembo/onemoretech GitHub Wiki

title: OpenDJ Default Access Controls link: https://onemoretech.wordpress.com/2012/10/09/opendj-default-access-controls/ author: lembobro description: post_id: 3468 created: 2012/10/09 17:29:16 created_gmt: 2012/10/09 21:29:16 comment_status: closed post_name: opendj-default-access-controls status: publish post_type: post

OpenDJ Default Access Controls

OpenDJ ships with extremely liberal read access for all, including anonymous, users. This should be taken into consideration when migrating data and access controls from other directories like Sun Directory. Sun Directory took a fairly conservative approach to access, denying all access unless otherwise granted by an aci. As a result my Sun Directory "Anyone access to root" control looked like this:

aci: (targetattr = "objectClass || entrydn || cn || uid || ou || o || l")
 (target = "ldap:///dc=example,dc=com") (version 3.0;acl "Anyone access to 
 root";allow (read,compare,search)(userdn = "ldap:///anyone");)

OpenDJ takes a different approach. Before you even get to setting access controls, there are defaults configured under "cn=Access Control Handler, cn=config" that are applied. For example, the "Anonymous Read Access" control reads as follows:

ds-cfg-global-aci: (targetattr!="userPassword||authPassword||changes||change
 Number||changeType||changeTime||targetDN||newRDN||newSuperior||deleteOldRDN
 ||targetEntryUUID||targetUniqueID||changeInitiatorsName||changeLogCookie")(
 version 3.0; acl "Anonymous read access"; allow (read,search,compare) userd
 n="ldap:///anyone";)

The problem with this, as I've said before, is that "ldap:///anyone" is NOT anonymous. In fact means "Everyone". That makes its use, particularly on a white pages directory with often sensitive information very dangerous indeed. For most applications this is irrelevant, but in the case of user information exposed on a white pages directory it can be problematic. The best option I can come up with is to replace this default rule with a much more limited one. No doubt there will be downlevel consequences to this, but there's nothing to be done about it at this point. Here is what a new "Default Anyone access" rule for an entire realm would look like:

aci: (targetattr != "objectClass || entrydn || cn || uid || ou || o || l")
 (version 3.0;acl "Default Anyone access";allow (read,compare,search)(user
 dn = "ldap:///anyone");)

Copyright 2004-2021 Phil Lembo