Thomas Schweikle wrote:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
The openldap server is unable to authenticate user1 unless user1 has a valid password. I assume that adm is your admin DN. Try to set an initial password for user1 with the adm account. And then verify that a search operation is successfull before trying to write.
In your acls you use "dc=example,dc=com" as suffix, but your real suffix is "dc=xompu,dc=de". Isn't it?