I use openLDAP already for years to store my users so I have to define them only once. The users can logon to both Linux and Windows (samba). Now I want to add address-books and manage the access rights.
I have a problem with the usage of groups in an access control. I want to gave addressbooks in my LDAP but they should not be accessible by everybody. I used http://www.openldap.org/faq/data/cache/52.html to configure openLDAP but it does not seem to work. I have created a group like this:
dn: cn=abk-admin,ou=Roles,dc=example,dc=com objectClass: groupOfNames member: cn=My ENTRY,ou=People,dc=example,dc=com cn: abk-admin
and an address-book like this:
dn: ou=abk1,ou=Addressbooks,dc=example,dc=com ou: abk1 objectClass: organizationalUnit objectClass: top
(Both entries are output of slapcat. I did not put in the attributes like creatorsName and entryUUID)
In the slapd:conf I have the following access rules:
access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdMustChange,sambaPwdLastSet by dn="cn=admin,dc=example,dc=com" write by dn="cn=proxyuser,dc=example,dc=com" read by anonymous auth by self write by * none
access to attrs=shadowLastChange,shadowMax by self write by * read
access to dn.base="" by * read
access to * by dn="cn=admin,dc=example,dc=com" write by * read
access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read by * none
I searched around and changed dn.children by dn.subtree and dn.one but the result is the same. I can read the entries but I cannot insert or delete an entry. I can only do this with admin but only if the line for admin is defined. What did I do wrong or understood wrong? I tried to find the answer on the internet but was not able :(
OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39) Debian 6.0.6
Regards,
Marco
Marco de Booij wrote:
access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read by * none
You should probably read the slapd.access(5) man page more throroughly.
Also the pages in the FAQ-O-MATIC are a good entry point: http://www.openldap.org/faq/data/cache/189.html
In particular for group-based ACL: http://www.openldap.org/faq/data/cache/52.html
Ciao, Michael.
Like I wrote in my question I already read http://www.openldap.org/faq/data/cache/52.html. The entries in my LDAP are a near copy of the first part:
dn: ou=abk1,ou=Addressbooks,dc=example,dc=com ou: abk1 objectClass: organizationalUnit objectClass: top
dn: cn=abk-admin,ou=Roles,dc=example,dc=com objectClass: groupOfNames member: cn=My ENTRY,ou=People,dc=example,dc=com cn: abk-admin
The slapd.access is an avalanche of information. I confuses me. Also the other pages do not make it any clearer to me. I do not see why I should use regex expressions. My knowledge is very basic.
I just connect with a member of the group (ex "cn=My ENTRY,ou=People,dc=example,dc=com") to the LDAP and insert or delete an email address entry.
Regards,
Marco Op 27-01-13 13:10, Michael Ströder schreef:
Marco de Booij wrote:
access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read by * none
You should probably read the slapd.access(5) man page more throroughly.
Also the pages in the FAQ-O-MATIC are a good entry point: http://www.openldap.org/faq/data/cache/189.html
In particular for group-based ACL: http://www.openldap.org/faq/data/cache/52.html
Ciao, Michael.
Marco de Booij wrote:
Like I wrote in my question I already read http://www.openldap.org/faq/data/cache/52.html.
Then please take a look at it once more.
Hint: by groupOfNames= is wrong.
Ciao, Michael.
I think you should also have a look on the order of you ACLs. If you place a "access to *" before a "access to dn.children" the second will not be evaluated (if there is no "break"...)
Cheers,
-Markus-
access to * by dn="cn=admin,dc=example,dc=com" write by * read
access to dn.children="ou=abk1,ou=Addressbooks,dc=example,dc=com" by dn="cn=admin,dc=example,dc=com" write by groupOfNames="cn=abk-admin,ou=Roles,dc=example,dc=com" write by groupOfNames="cn=abk-user,ou=Roles,dc=example,dc=com" read by * none
I searched around and changed dn.children by dn.subtree and dn.one but the result is the same. I can read the entries but I cannot insert or delete an entry. I can only do this with admin but only if the line for admin is defined. What did I do wrong or understood wrong? I tried to find the answer on the internet but was not able :(
OpenLDAP: slapd 2.4.23 (Jun 16 2011 02:53:39) Debian 6.0.6
Regards,
Marco
Hi Marco,
reread http://www.openldap.org/doc/admin24/access-control.html may be more then one time ;-)
In short: exchange rule 4 & 5
Remenber that ordering by tree (DN in what clause) is important.
Thanks Harry and Markus.
I did not read the page until the end :( Yesterday before I went to sleep the order thing (A firewall works this way too) came into my mind. I wanted to check it today. I moved the access rule up to 3rd place and I even removed all the by 'dn="cn=admin,dc=example,dc=com"' write rules to get rid of the warnings with slapacl. The output of slapacl is: # slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf authcDN: "cn=my entry,ou=people,dc=example,dc=com" entry: read(=rscxd) children: read(=rscxd) ou=abk1: read(=rscxd) objectClass=organizationalUnit: read(=rscxd) objectClass=top: read(=rscxd) structuralObjectClass=organizationalUnit: read(=rscxd) entryUUID=54995398-f44b-1031-87a4-17089ecb7055: read(=rscxd) creatorsName=cn=admin,dc=example,dc=com: read(=rscxd) createTimestamp=20130116171011Z: read(=rscxd) entryCSN=20130116171011.288097Z#000000#000#000000: read(=rscxd) modifiersName=cn=admin,dc=example,dc=com: read(=rscxd) modifyTimestamp=20130116171011Z: read(=rscxd)
Strange that the children are still read. If I change dn.children to dn.subtree then everything changes to write but still no insert or delete. # slapacl -b "ou=abk1,ou=Addressbooks,dc=example,dc=com" -D "cn=My ENTRY,ou=People,dc=example,dc=com" -v -f /etc/ldap/slapd.conf authcDN: "cn=my entry,ou=people,dc=example,dc=com" entry: write(=wrscxd) children: write(=wrscxd) ou=Beauty: write(=wrscxd) objectClass=organizationalUnit: write(=wrscxd) objectClass=top: write(=wrscxd) structuralObjectClass=organizationalUnit: write(=wrscxd) entryUUID=54995398-f44b-1031-87a4-17089ecb7055: write(=wrscxd) creatorsName=cn=admin,dc=example,dc=com: write(=wrscxd) createTimestamp=20130116171011Z: write(=wrscxd) entryCSN=20130116171011.288097Z#000000#000#000000: write(=wrscxd) modifiersName=cn=admin,dc=example,dc=com: write(=wrscxd) modifyTimestamp=20130116171011Z: write(=wrscxd)
I still cannot add or remove address-book entries but I know that I am on the right way. Perhaps there is some caching somewhere that is not cleaned when slapd is restarted. I will read the page to the end this time :)
Op 28-01-13 10:13, harry.jede@arcor.de schreef:
Hi Marco,
reread http://www.openldap.org/doc/admin24/access-control.html may be more then one time ;-)
In short: exchange rule 4 & 5
Remenber that ordering by tree (DN in what clause) is important.
openldap-technical@openldap.org
-
harry.jede@arcor.de -
Marco de Booij -
Markus Widmer -
Michael Ströder