Hello Michael,
Thank you for additional information.
I tried to do remapping inside a DIT database. Wrote the tiny snippet below: $ cat set_config_regexp.ldif dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcAuthzRegexp olcAuthzRegexp: {0}"gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,dc=directory,dc=com"
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f set_config_regexp.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: Object class violation (65) additional info: attribute 'olcAuthzRegexp' not allowed
I obviously do not know whether something is wrong with my syntax, or whether messed-up syntax could produce the above error. Seems more like than a syntax problem.
It appears to me that remapping anything for olcDatabase={0}config,cn=config would not help me either. I have multiple DITs each managed by a separate RootDN.
What am I doing wrong?
Sincerely,
Igor Shmukler
On Fri, Mar 20, 2015 at 9:47 AM, Michael Ströder michael@stroeder.com wrote:
Igor Shmukler wrote:
Seems to me that not many know how to write ACLs for OpenLDAP.
It's not that hard for your case.
See relevant building blocks from
https://build.opensuse.org/package/view_file/home:stroeder:branches:network:...
attached below.
As user root you can then write cn=config and dc=example,dc=com and initialize the data. The group cn=slapd admins,ou=groups,dc=example,dc=com can read cn=config and manage dc=example,dc=com.
You alter by-clause for cn=config
by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage
to let this group also write to cn=config.
I spend some time creating this public example config. There's no way around learning a bit more though. You should read and understand the example which takes less time than writing so many list postings and wait for detailed answers. But please understand I don't have the time to help in every detail.
Ciao, Michael.
--------------------- snip ---------------------
[..]
# If connected via IPC socket (ldapi:///) and SASL/EXTERNAL was used # System user root is mapped to the rootdn in database dc=example,dc=com # which has also read access on config and monitor databases authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
[..]
#--------------------------------------------------------------------------- # cn=config // Configuration database (always first!) # see slapd-config(5) #---------------------------------------------------------------------------
database config
# Cleartext passwords, especially for the rootdn, should # be avoid! See slappasswd(8) and slapd.conf(5) for details. # Best thing is not to set rootpw at all! # For local config access by root use LDAPI with SASL/EXTERNAL instead # (see above). #rootpw secret
access to dn.subtree="cn=config" by dn.exact="cn=root,dc=example,dc=com" manage by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" read by * none
[..]
#--------------------------------------------------------------------------- # dc=example,dc=com // Example MDB database to be used by normal clients # see slapd-mdb(5) #---------------------------------------------------------------------------
database mdb
suffix "dc=example,dc=com"
[..]
# Catch-all ACL for the rest access to dn.subtree=dc=example,dc=com by group.base="cn=slapd admins,ou=groups,dc=example,dc=com" manage by self read by users read by * auth