isMemberOf not being returned for non-superuser

This topic has 3 replies, 2 voices, and was last updated 7 years ago by Ludo.

  • Author
    Posts
  • #4859
     CSanchezAustin
    Participant

    I have a fairly stock OpenDJ 2.6.2 cluster installed. I’m having a problem with returning the isMemberOf virtual attribute when I search for a user as non cn=Directory Manager users, including anonymous users. I want to be able to get a users groups, including nested groups, which is what I understood isMemberOf would return.

    For example the following works:
    subutai:~ csanchez$ ldapsearch -H ldaps://ds1.aws.gnshc.com:1636 -D “cn=Directory Manager” -w XXXXXXXX -b “dc=gnshc,dc=com” “(uid=csanchez)” ismemberof
    # extended LDIF
    #
    # LDAPv3
    # base <dc=gnshc,dc=com> with scope subtree
    # filter: (uid=csanchez)
    # requesting: ismemberof
    #

    # csanchez, Users, gnshc.com
    dn: uid=csanchez,ou=Users,dc=gnshc,dc=com
    ismemberof: cn=Directory Administrators,ou=Groups,dc=ops,dc=gnshc,dc=com
    ismemberof: cn=TestUsers,ou=Groups,dc=gnshc,dc=com

    # search result
    search: 2
    result: 0 Success

    But this doesn’t:
    subutai:~ csanchez$ ldapsearch -H ldaps://prod-ds1.ops.gnshealthcare.com:1636 -D uid=ldapadm,ou=Users,dc=ops,dc=gnshc,dc=com -w XXXXXXX -b “dc=gnshc,dc=com” “(uid=csanchez)” ismemberof
    # extended LDIF
    #
    # LDAPv3
    # base <dc=gnshc,dc=com> with scope subtree
    # filter: (uid=csanchez)
    # requesting: ismemberof
    #

    # csanchez, Users, gnshc.com
    dn: uid=csanchez,ou=Users,dc=gnshc,dc=com

    # search result
    search: 2
    result: 0 Success

    Nor this:
    subutai:~ csanchez$ ldapsearch -H ldaps://prod-ds1.ops.gnshealthcare.com:1636 -x -b “dc=gnshc,dc=com” “(uid=csanchez)” ismemberof
    # extended LDIF
    #
    # LDAPv3
    # base <dc=gnshc,dc=com> with scope subtree
    # filter: (uid=csanchez)
    # requesting: ismemberof
    #

    # csanchez, Users, gnshc.com
    dn: uid=csanchez,ou=Users,dc=gnshc,dc=com

    # search result
    search: 2
    result: 0 Success

    #4860
     Ludo
    Moderator

    Hi,

    OpenDJ comes with a set of Global Access Controls that are meant for quick evaluation, and should be refined for production use. These ACIs are granted read or write access to a number of attributes to authenticated or anonymous users.
    The “isMemberOf” attribute is not listed in these ACIs, so access is denied for all users but Directory Manager.
    Please check OpenDJ Administration Guide, the Access Control section, for indications on how to change the default ACIs.

    #4866
     CSanchezAustin
    Participant

    Thanks for the info. This is what I came up with for my specific use. Do you have any feedback on any security issues this may reveal?

    dn: ou=Users,dc=gnshc,dc=com
    changetype: modify
    add: aci
    aci: (target = “ldap:///ou=Users,dc=gnshc,dc=com”)
    (targetattr = “isMemberOf”)
    (version 3.0;acl “Search and read isMemberOf”;
    allow (search, read)(userdn =”ldap:///anyone”);)

    #4871
     Ludo
    Moderator

    The ACI does what you were expecting, allowing any one to read group membership of any user.
    From a security point of view, this may disclose which users are part of administrative groups and help someone to target specific users to gain a particular access or data. Of course it depends on how descriptive are Group names.

Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?