Hi, my DIT is some like this:
*dc=<base>* *|__ dc=<domain_1>* *| |__ o=<org_1>* *| | |__cn=user_domain1_1* *| | |__cn=user_domain1_2* *| | |__cn=user_domain1_3* *| |__ o=<org_2>* *| |__cn=user_domain1_3* *| |__cn=user_domain1_4* *| |__cn=user_domain1_5* *|__ dc=<domain_2>* * |__ o=<org_3>* * | |__cn=user_domain2_1* * | |__cn=user_domain2_2* * | |__cn=user_domain2_3* * |__ o=<org_4>* * |__cn=user_domain2_3* * |__cn=user_domain2_4* * |__cn=**user_domain2_5*
I would like to create one administrative account for each domain (<domain_1> and <domain_2>)
Here is my way:
I create a new branch:
*dc=<base>* *|__ o=Administrators* * |__ou=<domain_1>_Administrators* * |__ cn=Administrator1*
then I insert a new directive in slapd.conf
*access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write*
Here the response when I try to connect with <domain_1>Administrators credentials:
*Error opening connection:* *[LDAP: error code 49 - Invalid Credentials]*
Here the OpenLDAP's output in debug mode
*daemon: activity on 1 descriptor* *daemon: activity on: * *slap_listener_activate(7): * *daemon: epoll: listen=7 busy * *>>> slap_listener(ldap://<my_host>:1389)* *daemon: activity on 1 descriptor * *daemon: activity on: * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *daemon: listen=7, new connection on 11 * *daemon: added 11r (active) listener=(nil) * *daemon: activity on 1 descriptor * *daemon: activity on: * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *daemon: activity on 1 descriptor * *daemon: activity on: 11r * *daemon: read active on 11 * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_get(11): got connid=1000 * *connection_read(11): checking for input on id=1000* *ber_get_next * *ber_get_next: tag 0x30 len 83 contents: * *op tag 0x60, time 1268990296 * *ber_get_next* *daemon: activity on 1 descriptor* *daemon: activity on:* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *conn=1000 op=0 do_bind* *ber_scanf fmt ({imt) ber:* *ber_scanf fmt (m}) ber:* *>>> dnPrettyNormal: <cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>* *<<< dnPrettyNormal: <cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>, <cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>* *do_bind: version=3 dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>" method=128* *bdb_dn2entry("cn=administrator1,ou=** <domain_1>administrators,o=administrators,dc=<base>")* *=> bdb_dn2id("dc=<base>")* *<= bdb_dn2id: got id=0x1* *=> bdb_dn2id("o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x12* *=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x13* *=> bdb_dn2id("cn=administrator1,ou=** <domain_1>administrators,o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x14* *entry_decode: "cn=Administrator1,ou=** <domain_1>Administrators,o=Administrators,dc=<base>"* *<= entry_decode(cn=Administrator1,ou=** <domain_1>Administrators,o=Administrators,dc=<base>)* *send_ldap_result: conn=1000 op=0 p=3* *send_ldap_response: msgid=1 tag=97 err=49* *ber_flush2: 14 bytes to sd 11* *daemon: activity on 1 descriptor* *daemon: activity on: 11r* *daemon: read active on 11* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_get(11): got connid=1000* *connection_read(11): checking for input on id=1000* *ber_get_next* *ber_get_next on fd 11 failed errno=0 (Success)* *connection_read(11): input error=-2 id=1000, closing.* *connection_closing: readying conn=1000 sd=11 for close* *daemon: activity on 1 descriptor* *daemon: activity on:* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_close: conn=1000 sd=11* *daemon: removing 11*
Same result with this policy: *access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*
I can access only with this policy: *access to * by * write*
I compiled opneldap 2.4.21 with default settings
Here my slapd.conf:
*include /sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema* *include /sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema* * * *pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid* *argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args* * * *#######################################################################* *# BDB database definitions* *#######################################################################* * * *database bdb* *suffix "dc=<base>"* *rootdn "cn=Manager,dc=<base>"* *rootpw testdomain* *directory /sw/test_domain_openldap-2.4.21/var/openldap-data* *index objectClass eq* * * *access to * by * write* *#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write* *#access to dn.subtree="**dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write*
thanks in advance! Carlo