Thanks for your feedback, much appreciated!
I'll try to change my groups to groupOfnames, Couldn't get it to work right now and it's already late here. If changed my Ldif file for my desired change to the following:
dn: olcDatabase={1}mdb,cn=config changetype: modify delete: olcAccess olcAccess: {0} - add: olcAccess olcAccess: {0}to attrs=userPassword by self write by dn="cn=admin,dc=ldap,dc=example,dc=com" manage by anonymous auth by * none
And this works fine:
ldapmodify -H ldapi:// -Y EXTERNAL -f pwchange.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config"
However when adding the line from I got from server fault (dn="[cn=sys_allow_pw_change,ou=Groups,dc=ldap,dc=example,dc=com]/memberUi)
if fails:
SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}mdb,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1
But this should be resolved, as soon as I've switched everything to LDAP groups. Could you please confirm that this guide is correct for enabling the groupOfNames? https://kifarunix.com/how-to-create-openldap-member-groups/ Thank you very much!
Quanah Gibson-Mount quanah@symas.com hat am 17.01.2022 18:06 geschrieben:
--On Monday, January 17, 2022 5:52 PM +0100 cupcake@domayn.ch wrote:
Thanks for your answer,
Rather than a replace op, you can just delete and add ACL {0} directly, since you're not changing any of the other ACLs.
So this means I can omit the entries for olcAccess: {1} and olcAccess: {2}? And for olcAccess: {0} I would first create a delete operation and after that readd it again? Why is that better than I replace if I may ask?
Yes, you can use the weight in a delete op, like
ldapmodify ... dn: ... delete: olcAccess olcAccess: {0}
add: olcAccess olcAccess: {0}access to ...
I would say it's better than replace for a few reasons. The largest being less likely of end user error (typos, etc).
You can also do the same sort of thing to insert ACLs, like
ldapmodify ... dn: .... add: olcAccess olcAccess: {1}access to ...
Would put a new ACL at {1} and increment all subsequent ACLs to preserve order.
Is sys_allow_pw_change an actual LDAP group (groupofNames, groupOfUniqueNames, or groupOfMembers)
ObjectClass is posixGroup and members are saved in a memberUID field:
Generally I'd advise using LDAP groups not *nix posixgroups for managing LDAP access.
I would also note that "memberUID" can be problematic if you end up with multiple entries with the same UID, an issue that DN based LDAP groups cannot encounter.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com