Hello,
I'm trying to put ACL for a group, to allow write actions.
I followed this and it's workin : https://www.openldap.org/faq/data/cache/52.html
Here is what I put in my ldif file:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to dn.subtree="dc=test,dc=example,dc=com" by group.exact="cn=writer,dc=test,dc=example,dc=com" write by anonymous auth
But I have two questions: Why do I have to put "by anonymous auth"? Without that I have an error 49, invalid credentials. I have not put "by self write", and it's working like that. Is it important?
Regards, Gab
If you don't put "by anonymous auth" in there the not yet authenticated user has no permission to authenticate against the LDAP service. Each ACL ends with an implicit "by * none".
Am 01.08.24 um 11:19 schrieb pficheux@integra.fr:
Hello,
I'm trying to put ACL for a group, to allow write actions.
I followed this and it's workin : https://www.openldap.org/faq/data/cache/52.html
Here is what I put in my ldif file:
dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to dn.subtree="dc=test,dc=example,dc=com" by group.exact="cn=writer,dc=test,dc=example,dc=com" write by anonymous auth
But I have two questions: Why do I have to put "by anonymous auth"? Without that I have an error 49, invalid credentials. I have not put "by self write", and it's working like that. Is it important?
Regards, Gab
Hello Uwe,
Thanks for the answer.
So, if I understand correctly, until you are authenticated, you are considered as anonymous, or sort of by the LDAP right?
And concerning the "by self write", in the example :
access to dn.children="dc=example,dc=com" by self write by group.exact="cn=Administrators,dc=example,dc=com" write by * auth
What is the purpose of this? An authenticated user can write his own entry with that?
Regards,
Gab.
--On Thursday, August 1, 2024 3:42 PM +0000 pficheux@integra.fr wrote:
Hello Uwe,
Thanks for the answer.
So, if I understand correctly, until you are authenticated, you are considered as anonymous, or sort of by the LDAP right?
And concerning the "by self write", in the example :
access to dn.children="dc=example,dc=com" by self write by group.exact="cn=Administrators,dc=example,dc=com" write by * auth
Better ACL is probably:
access to attrs=userPassword by self =xw by group.exact="cn=Administrators,dc=example,dc=com" write by anonymous auth
access to dn.subtree="dc=example,dc=com" by self write by group.exact="cn=Administrators,dc=example,dc=com" write
--Quanah
Am 01.08.24 um 16:42 schrieb pficheux@integra.fr:
Hello Uwe,
Thanks for the answer.
So, if I understand correctly, until you are authenticated, you are considered as anonymous, or sort of by the LDAP right?
You are either anonymous == unauthenticated or you are authenticated against an LDAP entry. (There are some other, special cases where you are authenticated against something else but that would get too far off track right now.)
And concerning the "by self write", in the example :
access to dn.children="dc=example,dc=com" by self write by group.exact="cn=Administrators,dc=example,dc=com" write by * auth
What is the purpose of this? An authenticated user can write his own entry with that?
Yes, exactly, given that the user's entry is below dc=example,dc=com. Usually that is used like
access to attrs=userPassword by self write by anonymous auth
to allow authentication and password changes.
Regards,
Gab.
Alright, it's make more sense to me now, thank you.
Last question, I'm trying to do this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth olcAccess: {1}to * by self read
I can connect, but not read the BDD. What am I doing wrong here?
Am 01.08.24 um 18:13 schrieb pficheux@integra.fr:
Alright, it's make more sense to me now, thank you.
Last question, I'm trying to do this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth olcAccess: {1}to * by self read
I can connect, but not read the BDD. What am I doing wrong here?
What is BDD?
"by self read" means that only the user's own entry can be read. For this the user needs to know where his/her entry is located within the DIT (Directory Information Tree).
Assuming that your base is "dc=example,dc=org" and the management access configured for "cn=manager,dc=example,dc=org" what you probably want to have is:
access to attrs=userPassword,shadowLastChange by self write by anonymous auth
access to * by "cn=operator,dc=exmaple,dc=org" manage by self read by anonymous search
Notice two things: - "cn=manager,dc=example,dc=org" does not occur within ACLs because this account is configured within slapd.conf / cn=config as almighty user for dc=example,dc=org - "cn=operator,dc=exmaple,dc=org" is a second account that is also allowed to edit the content of the DIT
While cn=manager doesn't need to exist inside the DIT (if the password is given in slapd.conf / cn=config) the second account cn=operator must exist, e.g.
dn: cn=operator,dc=exmaple,dc=org objectClass: top objectClass: organizationalRole objectClass: simpleSecurityObject cn: operator userPassword: <HASH of the password> description: secondary management account
Hello,
Sorry, BDD is the french word for DB.
What I'm trying to test here, is to have users permissions to modify their own password, but also the right to read others entry.
I've tried to put "break" at the end of the first ACL, but it's not working.
dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth break olcAccess: {1}to * by self read
Am 02.08.24 um 10:24 schrieb pficheux@integra.fr:
Hello,
Sorry, BDD is the french word for DB.
What I'm trying to test here, is to have users permissions to modify their own password, but also the right to read others entry.
I've tried to put "break" at the end of the first ACL, but it's not working.
dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth break olcAccess: {1}to * by self read
All the info you are asking for can be found at
https://www.openldap.org/doc/admin26/access-control.html
"break" doesn't do any good here because it just stops the evaluation of attrs=userPassword,shadowLastChange BUT these attributes will be part of further evaluation.
E.g. if you have a "global" rule
olcAccess: {0}to * by "cn=operator,dc=example,dc=org" manage
that would give cn=operator (and the root user) all access but after that, the evaluation of "*" will stop.
But with
olcAccess: {0}to * by "cn=operator,dc=example,dc=org" manage break
the evaluation of "*" is done by further, more specific rules that follow.
Given "to have users permissions to modify their own password, but also the right to read others entry" you want:
dn: olcDatabase={1}mdb,cn=config add: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth
olcAccess: {1}to * by users read
which gives the anonymous user the right to authenticate, the authenticated user to modify the password and any other authenticated user the right to read the DIT (but for attrs=userPassword,shadowLastChange).
Hello,
Thank you, it's working.
It really makes more sense to me know.
Regards,
Gab
openldap-technical@openldap.org