-w `cat /var/lib/nethserver/secrets/libuser`
Use -y option? (and 'echo -n' password to file, thus without newline character)
Start with acls something like this (default do not allow access):
olcAccess: {0} to dn.exact="" by * read olcAccess: {1} to dn.exact="cn=Subschema" by * read olcAccess: {2} to attrs=userPassword,shadowLastChange by ssf=256 self read by ssf=256 anonymous auth by * none break . . . olcAccess: {9} to * by * none
I think my question is in the basis similar to yours, so maybe keep track of this for answer. https://www.mail-archive.com/openldap-technical@openldap.org/msg24126.html
-----Original Message----- To: openldap-technical@openldap.org Subject: *****SPAM***** Adding ACL to an Attribute
Hi all,
SYSTEM: NethServer-7.6.1810, a distro using Centos7.6.1810 OpenLDAP: openldap-2.4.44-21.el7_6.x86_64 Extra package: Self Service Password
I am using Self Service Password with question/answer method to change the password. I store the answer in an attibute named: info.
$answer_objectClass = "extensibleObject"; $answer_attribute = "info";
The original Account provider is LDAP which I want to replace with Active Directory. All the user have to choose a question/answer before I replace LDAP with AD as the Account provider.
While LDAP is still the Account provider, anybody with console access to the server can see the question/answer using the command:
# ldapsearch -D cn=libuser,dc=directory,dc=nh -w `cat /var/lib/nethserver/secrets/libuser` -h 127.0.0.1
# toto, People, directory.nh dn: uid=toto,ou=People,dc=directory,dc=nh ... objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgPerson objectClass: extensibleObject shadowLastChange: 18220 userPassword:: cm9ibTEyMDQ0OQ== info: {car}Honda
I created a Virtual Machine to test the scenario with 3 users.
In NethServer, the original Account provider is LDAP. I did a script to extract the users and their answers to file.ldif I remove LDAP. I install Active Directory module. I import the users/groups to AD. In the importation, AD creates new passwords for the imported users. I add a section to Self Service Password for AD. I modify AD with info.ldip to include the answer.
# /usr/bin/systemd-run -M nsdc -q -t /usr/bin/ldbmodify -H /var/lib/samba/private/sam.ldb /var/lib/samba/private/file.ldif Modified 3 records successfully #
The users can then modify their password responding to the same question/answer they had with LDAP. All is working perfectly.
PROBLEM: I cannot encrypt the answer in LDAP because when I import the users to Active Directory, it cannot reads the encrypted answer. I think that AD is using another way to encrypt/decypt? If I don't encrypt the answer, the importation to AD is working correctly.
While still using LDAP as Account provider and before I change it to Active Directory, I would like to add an additional ACL so nobody can read the answer stored in "info".
After googling a lot I found a way to describe the ACL. I hope it is the right way.
access to attrs=info by self write by anonymous auth by group="cn=domain admins,ou=Groups,dc=directory,dc=nh" write by * none
How can I create the content of newacl.ldif file to be able to add that ACL to OpenLDAP (ldapmodify -Y EXTERNAL -H ldapi:/// -f /temp/newacl.ldif)
Thank you,
Drukpa