Hi, my DIT is some like this:
*dc=<base>* *|__ dc=<domain_1>* *| |__ o=<org_1>* *| | |__cn=user_domain1_1* *| | |__cn=user_domain1_2* *| | |__cn=user_domain1_3* *| |__ o=<org_2>* *| |__cn=user_domain1_3* *| |__cn=user_domain1_4* *| |__cn=user_domain1_5* *|__ dc=<domain_2>* * |__ o=<org_3>* * | |__cn=user_domain2_1* * | |__cn=user_domain2_2* * | |__cn=user_domain2_3* * |__ o=<org_4>* * |__cn=user_domain2_3* * |__cn=user_domain2_4* * |__cn=**user_domain2_5*
I would like to create one administrative account for each domain (<domain_1> and <domain_2>)
Here is my way:
I create a new branch:
*dc=<base>* *|__ o=Administrators* * |__ou=<domain_1>_Administrators* * |__ cn=Administrator1*
then I insert a new directive in slapd.conf
*access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write*
Here the response when I try to connect with <domain_1>Administrators credentials:
*Error opening connection:* *[LDAP: error code 49 - Invalid Credentials]*
Here the OpenLDAP's output in debug mode
*daemon: activity on 1 descriptor* *daemon: activity on: * *slap_listener_activate(7): * *daemon: epoll: listen=7 busy * *>>> slap_listener(ldap://<my_host>:1389)* *daemon: activity on 1 descriptor * *daemon: activity on: * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *daemon: listen=7, new connection on 11 * *daemon: added 11r (active) listener=(nil) * *daemon: activity on 1 descriptor * *daemon: activity on: * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *daemon: activity on 1 descriptor * *daemon: activity on: 11r * *daemon: read active on 11 * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_get(11): got connid=1000 * *connection_read(11): checking for input on id=1000* *ber_get_next * *ber_get_next: tag 0x30 len 83 contents: * *op tag 0x60, time 1268990296 * *ber_get_next* *daemon: activity on 1 descriptor* *daemon: activity on:* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *conn=1000 op=0 do_bind* *ber_scanf fmt ({imt) ber:* *ber_scanf fmt (m}) ber:* *>>> dnPrettyNormal: <cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>* *<<< dnPrettyNormal: <cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>, <cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>* *do_bind: version=3 dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>" method=128* *bdb_dn2entry("cn=administrator1,ou=** <domain_1>administrators,o=administrators,dc=<base>")* *=> bdb_dn2id("dc=<base>")* *<= bdb_dn2id: got id=0x1* *=> bdb_dn2id("o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x12* *=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x13* *=> bdb_dn2id("cn=administrator1,ou=** <domain_1>administrators,o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x14* *entry_decode: "cn=Administrator1,ou=** <domain_1>Administrators,o=Administrators,dc=<base>"* *<= entry_decode(cn=Administrator1,ou=** <domain_1>Administrators,o=Administrators,dc=<base>)* *send_ldap_result: conn=1000 op=0 p=3* *send_ldap_response: msgid=1 tag=97 err=49* *ber_flush2: 14 bytes to sd 11* *daemon: activity on 1 descriptor* *daemon: activity on: 11r* *daemon: read active on 11* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_get(11): got connid=1000* *connection_read(11): checking for input on id=1000* *ber_get_next* *ber_get_next on fd 11 failed errno=0 (Success)* *connection_read(11): input error=-2 id=1000, closing.* *connection_closing: readying conn=1000 sd=11 for close* *daemon: activity on 1 descriptor* *daemon: activity on:* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_close: conn=1000 sd=11* *daemon: removing 11*
Same result with this policy: *access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*
I can access only with this policy: *access to * by * write*
I compiled opneldap 2.4.21 with default settings
Here my slapd.conf:
*include /sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema* *include /sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema* * * *pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid* *argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args* * * *#######################################################################* *# BDB database definitions* *#######################################################################* * * *database bdb* *suffix "dc=<base>"* *rootdn "cn=Manager,dc=<base>"* *rootpw testdomain* *directory /sw/test_domain_openldap-2.4.21/var/openldap-data* *index objectClass eq* * * *access to * by * write* *#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write* *#access to dn.subtree="**dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write*
thanks in advance! Carlo
On Fri, 2010-03-19 at 12:54 +0100, Carlo Pradissitto wrote:
access to * by * write #access to dn.subtree="dc=<domain_1>,dc=<base>" by * write #access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
With no access stanza, OpenLDAP defaults to:
access to * by anonymous read by * none
As soon as you assign an access stanza, this default goes away.
As it stands, you are not giving Administrator1 any permission to bind. Your access stanza doesn't mention anything under the administrative section.
At the very least, you will need something like: access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind
You *will* need to fine-tune this. ;-)
Some decent information on ACLs can be found at http://www.zytrax.com/books/ldap/ch6/
Also, set debug level 128 to view ACL processing -- this will be invaluable to you.
Hi Owen, thanks for the explanation! Now everything woks fine with these options: access to dn.subtree="o=Administrators,dc=<base>" by anonymous auth access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write access to dn.subtree="dc=<domain_2>,dc=<base>" by dn="cn=Administrator1,ou=<domain_2>Administrators,o=Administrators,dc=<base>" write
Thank you! Carlo
2010/3/19 Owen Marshall omarshall@facilityone.com
On Fri, 2010-03-19 at 12:54 +0100, Carlo Pradissitto wrote:
access to * by * write #access to dn.subtree="dc=<domain_1>,dc=<base>" by * write #access to dn.subtree="dc=<domain_1>,dc=<base>" by
dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
With no access stanza, OpenLDAP defaults to:
access to * by anonymous read by * none
As soon as you assign an access stanza, this default goes away.
As it stands, you are not giving Administrator1 any permission to bind. Your access stanza doesn't mention anything under the administrative section.
At the very least, you will need something like: access to dn.subtree="o=Administrators,dc=<base>" by anonymous bind
You *will* need to fine-tune this. ;-)
Some decent information on ACLs can be found at http://www.zytrax.com/books/ldap/ch6/
Also, set debug level 128 to view ACL processing -- this will be invaluable to you.
-- Owen Marshall FacilityONE omarshall@facilityone.com | (502) 805-2126
Le 19/03/2010 12:54, Carlo Pradissitto a écrit :
Hi, my DIT is some like this:
*dc=<base>* *|__ dc=<domain_1>* *| |__ o=<org_1>* *| | |__cn=user_domain1_1* *| | |__cn=user_domain1_2* *| | |__cn=user_domain1_3* *| |__ o=<org_2>* *| |__cn=user_domain1_3* *| |__cn=user_domain1_4* *| |__cn=user_domain1_5* *|__ dc=<domain_2>*
|__ o=<org_3>*| |__cn=user_domain2_1*| |__cn=user_domain2_2*| |__cn=user_domain2_3*|__ o=<org_4>*|__cn=user_domain2_3*|__cn=user_domain2_4*|__cn=**user_domain2_5*I would like to create one administrative account for each domain (<domain_1> and <domain_2>)
Here is my way:
I create a new branch:
*dc=<base>* *|__ o=Administrators*
|__ou=<domain_1>_Administrators*|__ cn=Administrator1*then I insert a new directive in slapd.conf
*access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write*
Here the response when I try to connect with <domain_1>Administrators credentials:
*Error opening connection:* *[LDAP: error code 49 - Invalid Credentials]*
Here the OpenLDAP's output in debug mode
*daemon: activity on 1 descriptor* *daemon: activity on: * *slap_listener_activate(7): * *daemon: epoll: listen=7 busy * *>>> slap_listener(ldap://<my_host>:1389)* *daemon: activity on 1 descriptor * *daemon: activity on: * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *daemon: listen=7, new connection on 11 * *daemon: added 11r (active) listener=(nil) * *daemon: activity on 1 descriptor * *daemon: activity on: * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *daemon: activity on 1 descriptor * *daemon: activity on: 11r * *daemon: read active on 11 * *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_get(11): got connid=1000 * *connection_read(11): checking for input on id=1000* *ber_get_next * *ber_get_next: tag 0x30 len 83 contents: * *op tag 0x60, time 1268990296 * *ber_get_next* *daemon: activity on 1 descriptor* *daemon: activity on:* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *conn=1000 op=0 do_bind* *ber_scanf fmt ({imt) ber:* *ber_scanf fmt (m}) ber:* *>>> dnPrettyNormal: <cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>>* *<<< dnPrettyNormal: <cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>>, <cn=administrator1,ou=**<domain_1>dministrators,o=administrators,dc=<base>>* *do_bind: version=3 dn="cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>" method=128* *bdb_dn2entry("cn=administrator1,ou=**<domain_1>administrators,o=administrators,dc=<base>")* *=> bdb_dn2id("dc=<base>")* *<= bdb_dn2id: got id=0x1* *=> bdb_dn2id("o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x12* *=> bdb_dn2id("ou=**<domain_1>administrators,o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x13* *=> bdb_dn2id("cn=administrator1,ou=**<domain_1>administrators,o=administrators,dc=<base>")* *<= bdb_dn2id: got id=0x14* *entry_decode: "cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>"* *<= entry_decode(cn=Administrator1,ou=**<domain_1>Administrators,o=Administrators,dc=<base>)* *send_ldap_result: conn=1000 op=0 p=3* *send_ldap_response: msgid=1 tag=97 err=49* *ber_flush2: 14 bytes to sd 11* *daemon: activity on 1 descriptor* *daemon: activity on: 11r* *daemon: read active on 11* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_get(11): got connid=1000* *connection_read(11): checking for input on id=1000* *ber_get_next* *ber_get_next on fd 11 failed errno=0 (Success)* *connection_read(11): input error=-2 id=1000, closing.* *connection_closing: readying conn=1000 sd=11 for close* *daemon: activity on 1 descriptor* *daemon: activity on:* *daemon: epoll: listen=7 active_threads=0 tvp=NULL* *connection_close: conn=1000 sd=11* *daemon: removing 11*
Same result with this policy: *access to dn.subtree="dc=**<domain_1>,dc=<base>" by * write*
I can access only with this policy: *access to * by * write*
I compiled opneldap 2.4.21 with default settings
Here my slapd.conf:
*include /sw/test_domain_openldap-2.4.21/etc/openldap/schema/core.schema* *include /sw/test_domain_openldap-2.4.21/etc/openldap/schema/cosine.schema*
*pidfile /sw/test_domain_openldap-2.4.21/var/run/slapd.pid* *argsfile /sw/test_domain_openldap-2.4.21/var/run/slapd.args*
*#######################################################################* *# BDB database definitions* *#######################################################################*
*database bdb* *suffix "dc=<base>"* *rootdn "cn=Manager,dc=<base>"* *rootpw testdomain* *directory /sw/test_domain_openldap-2.4.21/var/openldap-data* *index objectClass eq*
*access to * by * write* *#access to dn.subtree="dc=<domain_1>,dc=<base>" by * write* *#access to dn.subtree="**dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write*
thanks in advance! Carlo
Hi Carlo,
You need to add an ACL to allow the administrator to BIND (authenticate) to the directory. Try this:
access to dn.subtree="ou=<domain_1>Administrators,o=Administrators,dc=<base>" by anonymous auth
access to dn.subtree="dc=<domain_1>,dc=<base>" by dn="cn=Administrator1,ou=<domain_1>Administrators,o=Administrators,dc=<base>" write
openldap-software@openldap.org
-
Carlo Pradissitto -
Jonathan Clarke -
Owen Marshall