i want to be able to make a group that is authorized to be admins to the ldap database but it seems i cant do it with posixgroups.
i saw that you can edit posixgroups to be groupofnames to enable this but i dont want to go back and edit a bunch of posixgroups that are already structured so i want to just add objectclass groupofnames to one group that's enabled as admins.
i heard that the rfc2307bis.schema can let me do this but i can't find the file anywhere.
Any help please?
James Tran writes:
i want to be able to make a group that is authorized to be admins to the ldap database but it seems i cant do it with posixgroups.
Strictly speaking the 'admin' is admin the rootdn given in slapd.conf. But if you mean to give full read and write access:
You can use "sets". They are still marked experimental, but are described in http://www.openldap.org/faq/data/cache/1133.html.
This is all written without testing, but it would be something like this:
access to * by set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid" set="user/objectClass & [posixGroup]" write by ...
I.e. anyone with (a) an uid attribute matching a memberUid attribute in the admin group + (b) a 'posixGroup' in objectClass.
However, note that if you grant access based on an attribute in the user's entry then anyone with write access to that attribute in some entry can add that entry to your admin group. E.g. if you add 'by self write', anyone can add themselves to the group. And anyone who can add an entry, can include an admin's uid in the entry.
If nobody can modify the uid attribute, that stops the former problem: access to attrs=uid by <the admin set above> write by * read
If others can add entries, that acl doesn't keep them out. But if e.g. only DNs below cn=users,dc=example,dc=com are admins and others with add access can't add entries there, you could instead use
access to * by dn.onelevel=cn=users,dc=example,dc=com set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid" set="user/objectClass & [posixGroup]" write by ...
An alternative is to construct the user's DN in the set: by set="user & ([uid=] + [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid + [,cn=users,dc=example,dc=com])" or: by set="(user & ([uid=] + [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid + [,cn=users,dc=example,dc=com]) )/objectClass & [posixGroup]"
--On Tuesday, April 10, 2007 7:40 PM +0200 Hallvard B Furuseth h.b.furuseth@usit.uio.no wrote:
James Tran writes:
i want to be able to make a group that is authorized to be admins to the ldap database but it seems i cant do it with posixgroups.
Strictly speaking the 'admin' is admin the rootdn given in slapd.conf. But if you mean to give full read and write access:
You can use "sets". They are still marked experimental, but are described in http://www.openldap.org/faq/data/cache/1133.html.
This is all written without testing, but it would be something like this:
access to * by set="user/uid & [cn=admins,cn=filegroups,dc=example,dc=com]/memberUid" set="user/objectClass & [posixGroup]"
Or you can just create a normal group...
For example, in my server I have:
dn: cn=ldapAdmin,cn=applications,dc=stanford,dc=edu objectClass: groupOfNames cn: ldapAdmin member: uid=quanah,cn=accounts,dc=stanford,dc=edu
So my bind DN is a member of that group. Then in my ACLs I put:
access to * by group.base="cn=ldapAdmin,cn=Applications,dc=stanford,dc=edu" sasl_ssf=56 write by * break
--Quanah
-- Quanah Gibson-Mount Senior Systems Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
On Tue, Apr 10, 2007 at 08:27:37PM +0200, Hallvard B Furuseth wrote:
Quanah Gibson-Mount writes:
Or you can just create a normal group...
Yes, but I thought that was what he didn't want. (Though my reply may be a fine illustration of why he should do that anyway:-)
It's always good to learn about sets, they are very powerfull
Andreas Hasenack wrote:
On Tue, Apr 10, 2007 at 08:27:37PM +0200, Hallvard B Furuseth wrote:
Quanah Gibson-Mount writes:
Or you can just create a normal group...
Yes, but I thought that was what he didn't want. (Though my reply may be a fine illustration of why he should do that anyway:-)
It's always good to learn about sets, they are very powerfull
Thanks for all the suggestions guys. I ended up taking the easy way out and just making the groupofnames instead of bundling them. The other stuff looks very useful though and i'm glad i got that post anyway just in case i need it for the future.
openldap-software@openldap.org