Of course my group access rule failed miserably with the following error from slapd:
/etc/ldap/slapd.d: line 1: group "cn=$1,ou=Groups,dc=moores,dc=ca" attr "memberUid": inappropriate syntax: 1.3.6.1.4.1.1466.115.121.1.26; must be 1.3.6.1.4.1.1466.115.121.1.12 (DN), 1.3.6.1.4.1.1466.115.121.1.34 (NameUID) or a subtype of labeledURI.
It also gave me a warning for the first rule for user address books which I hadn't noticed before:
/etc/ldap/slapd.d: line 1: warning: cannot assess the validity of the ACL scope within backend naming context Backend ACL: access to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.base,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
I have no idea what this means. Guess I'll google it.
Darryl Moore wrote:
Opps my bad, I cut and past the rules wrong
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write by * read
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca" write by * read
cheers, darryl
Darryl Moore wrote:
Well with a bunch of reading and even more experimentation I have been able to set up access to individual users Address Books. with the following rule:
olcAccess: {1}to dn.regex="cn=Contacts,uid=([^,]+),ou=People,dc=moores,dc=ca$" by dn.exact,expand="uid=$1,ou=People,dc=moores,dc=ca" write b$
I want to set up a seperate address book below various user groups as well, and give write access only to the members. I think the following will work.
olcAccess: {2}to dn.regex="cn=Contacts,cn=([^,]+),ou=Groups,dc=moores,dc=ca$" by group/posixGroup/memberUid="cn=$1,ou=Groups,dc=moores,dc=ca$" write
Two questions.
First do both these rules look reasonable? Are there any glaring security holes I'm missing? I think I have it right.
Two. Once I have this working I want to be able to set up various users as administrators to groups. (As you can do with gpasswd/gshadow in Linux) I looked around a lot, but have not seen anything that appears to allow you to do this with LDAP. Am I going to need to modify schemas to do this? <gulp>
Wow, I may be ready for my LPIC3 once I've figured all this out.
cheers, darryl
Darryl Moore wrote:
Thanks again, I think I figured it out. I made some edits to the olcDatabase={1}bdb.ldif file in the slapd.d, and was able to write to the database. (It sure does help when you read the right set of instructions)