Am 31.01.2011 11:52, schrieb harry.jede@arcor.de:
Thomas Schweikle wrote:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
The openldap server is unable to authenticate user1 unless user1 has a valid password. I assume that adm is your admin DN. Try to set an initial password for user1 with the adm account. And then verify that a search operation is successfull before trying to write.
user1 has a password and is authenticated via kerberos. This is working as expected. A ticket is granted. There is no password within LDAP for this user.
user2 has no kerberos password and is authenticated via ldap. This is working as expected.
1. I can log in with both users. 2. I can view the database with both users. 3. I can't change password with any of the users, but this seems to be a bug introduced by ubuntu and pam configuration. Maybe it is a regression, since it has worked for some time in the past. 4. How do I set up a group of users to change and reset passwords for other users? It is not useful to do it - login to the server - sudo to root - export the user - edit the exported ldif to apply changes - use ldapmodify to apply the changes made This is lot to complicated and error frown. I'd like to use gq or something else (not web based) and I'd like to have additional users having the right to do it, not giving them my rootDN including password. Idealy these users would have to be authenticated by kerberos. As this would give an encripted connection to the ldap server.
In your acls you use "dc=example,dc=com" as suffix, but your real suffix is "dc=xompu,dc=de". Isn't it?
Both. One is my staging server, the other the one whom to go into production if I ever get it running!