Am 31.01.2011 08:29, schrieb Dieter Kluenter:
Am Sun, 30 Jan 2011 23:36:13 +0100 schrieb Thomas Schweikle tps@vr-web.de:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
Had found this, read it, but got no additional information out of it. I'd like to have access to the database for some people only. Mainly to reset passwords. I've tried. It did not work. I'd read the chapters in the admin manual. Didn't help. I am asking the list --- and I am redirected to these, already known documents. Doesn't help either.
I've found this, read it, modified it to match my data, imported it. And noticed it not changing anything. AFAIK i shall have access to change the password of existing users. In reality I do not even have access to read the password???
At the moment I am having: olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=adm,dc=example,dc=com" write by group.exact="cn=administrators,dc=example,dc=com" write by anonymous auth by self write by * none
cn=adm,dc=example,dc=com has write access to attributes, Members of group cn=administrators,dc=example,dc=com have write access, the one who is authenticated his cn has write access. Anonymous users can authenticate. All authenticated users may read. All non authenticated users do not have any access at all.
olcAccess: {1}to dn.base="" by * read
Anyone may read the tree from dn.base on.
olcAccess: {2}to * by dn="cn=adm,dc=example,dc=com" write by group.exact="cn=administrators,dc=example,dc=com" write by * read
cn=adm,dc=example,dc=com has write access, as have members of the group cn=administrators,dc=example,dc=com. All others have read access.
Seems this interpretation is wrong. How do I have to interpret it the correct way?