Igor Shmukler wrote:
Seems to me that not many know how to write ACLs for OpenLDAP.
It's not that hard for your case.
See relevant building blocks from
https://build.opensuse.org/package/view_file/home:stroeder:branches:network:...
attached below.
As user root you can then write cn=config and dc=example,dc=com and initialize the data. The group cn=slapd admins,ou=groups,dc=example,dc=com can read cn=config and manage dc=example,dc=com.
You alter by-clause for cn=config
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
to let this group also write to cn=config.
I spend some time creating this public example config. There's no way around learning a bit more though. You should read and understand the example which takes less time than writing so many list postings and wait for detailed answers. But please understand I don't have the time to help in every detail.
Ciao, Michael.
--------------------- snip ---------------------
[..]
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used # System user root is mapped to the rootdn in database dc=example,dc=com # which has also read access on config and monitor databases authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
[..]
#--------------------------------------------------------------------------- # cn=config // Configuration database (always first!) # see slapd-config(5) #---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! # For local config access by root use LDAPI with SASL/EXTERNAL instead # (see above). #rootpw secret
access to dn.subtree="cn=config" by dn.exact="cn=root,dc=example,dc=com" manage by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read by * none
[..]
#--------------------------------------------------------------------------- # dc=example,dc=com // Example MDB database to be used by normal clients # see slapd-mdb(5) #---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
[..]
# Catch-all ACL for the rest access to dn.subtree=dc=example,dc=com by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage by self read by users read by * auth