Adding ACL to an Attribute
by Drukpa Kunley
Hi all,
SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810
OpenLDAP: openldap-2.4.44-21.el7_6.x86_64
Extra package: Self Service Password
I am using Self Service Password with question/answer method to change
the password.
I store the answer in an attibute named: info.
$answer_objectClass = "extensibleObject";
$answer_attribute = "info";
The original Account provider is LDAP which I want to replace with
Active Directory.
All the user have to choose a question/answer before I replace LDAP with
AD as the Account provider.
While LDAP is still the Account provider, anybody with console access to
the server can see the question/answer using the command:
# ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat
/var/lib/nethserver/secrets/libuser` -h 127.0.0.1
# toto, People, directory.nh
dn: uid=toto,ou=People,dc=directory,dc=nh
...
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: extensibleObject
shadowLastChange: 18220
userPassword:: cm9ibTEyMDQ0OQ==
info: {car}Honda
I created a Virtual Machine to test the scenario with 3 users.
In NethServer, the original Account provider is LDAP.
I did a script to extract the users and their answers to file.ldif
I remove LDAP.
I install Active Directory module.
I import the users/groups to AD. In the importation, AD creates new
passwords for the imported users.
I add a section to Self Service Password for AD.
I modify AD with info.ldip to include the answer.
# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H
/var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif
Modified 3 records successfully
#
The users can then modify their password responding to the same
question/answer they had with LDAP.
All is working perfectly.
PROBLEM:
I cannot encrypt the answer in LDAP because when I import the users to
Active Directory, it cannot reads the encrypted answer. I think that AD
is using another way to encrypt/decypt?
If I don't encrypt the answer, the importation to AD is working correctly.
While still using LDAP as Account provider and before I change it to
Active Directory, I would like to add an additional ACL so nobody can
read the answer stored in "info".
After googling a lot I found a way to describe the ACL. I hope it is the
right way.
access to attrs=info
by self write
by anonymous auth
by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write
by * none
How can I create the content of newacl.ldif file to be able to add that
ACL to OpenLDAP (ldapmodify -Y EXTERNAL -H ldapi:/// -f /temp/newacl.ldif)
Thank you,
Drukpa
4 years
- 2
- 1
Is there a way to set a preference on entries with multiple userPassword attributes?
by Jeremy Diaz
Hello,
Currently I have ldap entries with 2 userPassword attributes. One is a regular SHA password which the other one delegates to sasl. However this results in all entries binding through sasl rather than locally. I need some entries to default to sasl and other entries to default to SHA but still failover to the other password entry. Is this possible through openldap?
Thanks,
Jeremy
--
Jeremy Diaz
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: jeremy.diaz(a)rexconsulting.net
web: [ http://www.rexconsulting.net/ | http://www.rexconsulting.net ]
phone, toll-free: +1 (888) 403-8996 EXT: 5
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited.
Rex Consulting, Inc. has been a California Corporation since 2001.
4 years
- 2
- 2