On Tuesday, 22 March 2011 12:12:53 Hendrik van der Ploeg wrote:
ok thanks,
But how can I set the user in a seperate database to have access to a different database?
Use a separate local database with a suitable backend (e.g. hdb or bdb).
Any "local" DN can appear in access control statements for any other database.
Here is one example (allowing "local" users in dc=ranger,dc=dnsalias,dc=com access to cn=config)
[bgmilne@tiger ~]$ ldapsearch -Q -LLL -b cn=config "(olcDatabase=config)" olcAccess dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none
[bgmilne@tiger ~]$ ldapwhoami -Q dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [bgmilne@tiger ~]$ ldapcompare -Q 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com TRUE
(BTW, please keep replies on-list, and while we're at it, try avoid unnecessary top-posting)
Regards, Buchan
Yesssssssss, it worked like a charm!!! Thank you very much!!
Regards,
Hendrik van der Ploeg The Netherlands
On Tue, 22 Mar 2011 12:39:18 +0200, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Tuesday, 22 March 2011 12:12:53 Hendrik van der Ploeg wrote:
ok thanks,
But how can I set the user in a seperate database to have access to a different database?
Use a separate local database with a suitable backend (e.g. hdb or bdb).
Any "local" DN can appear in access control statements for any other database.
Here is one example (allowing "local" users in dc=ranger,dc=dnsalias,dc=com access to cn=config)
[bgmilne@tiger ~]$ ldapsearch -Q -LLL -b cn=config
"(olcDatabase=config)"
olcAccess dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none
[bgmilne@tiger ~]$ ldapwhoami -Q dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [bgmilne@tiger ~]$ ldapcompare -Q 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com TRUE
(BTW, please keep replies on-list, and while we're at it, try avoid unnecessary top-posting)
Regards, Buchan
ok,
I was too fast with celibrating. :)
I create a user proxy and it can connect to all databases. So that works.
But when I modify slapd.conf to look in both databases it only gives a result in the last "uri"
database meta suffix "dc=ntws,dc=nl" uri "ldaps://ldapcons1.domain.nl/dc=N000003,dc=domain,dc=nl" uri "ldaps://ldapcons0.domain.nl/dc=N000002,dc=domain,dc=nl"
When I enable either one they work just fine.
Any suggestions?
Best regards,
Hendrik vd Ploeg The Netherlands
On Tue, 22 Mar 2011 12:39:18 +0200, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Tuesday, 22 March 2011 12:12:53 Hendrik van der Ploeg wrote:
ok thanks,
But how can I set the user in a seperate database to have access to a different database?
Use a separate local database with a suitable backend (e.g. hdb or bdb).
Any "local" DN can appear in access control statements for any other database.
Here is one example (allowing "local" users in dc=ranger,dc=dnsalias,dc=com access to cn=config)
[bgmilne@tiger ~]$ ldapsearch -Q -LLL -b cn=config
"(olcDatabase=config)"
olcAccess dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none
[bgmilne@tiger ~]$ ldapwhoami -Q dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [bgmilne@tiger ~]$ ldapcompare -Q 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com TRUE
(BTW, please keep replies on-list, and while we're at it, try avoid unnecessary top-posting)
Regards, Buchan
Ok,
I found the solution. I need to define an IDAssert per database like this:
database meta suffix "dc=ntws,dc=nl" uri "ldaps://ldapcons0.domain.nl/dc=domain,dc=nl" idassert-bind bindmethod=simple binddn="uid=proxy,ou=Service,dc=service,dc=domain,dc=nl" credentials="U may guess" mode=none
uri "ldaps://ldapcons1.domain.nl/dc=domain,dc=nl" idassert-bind bindmethod=simple binddn="uid=proxy,ou=Service,dc=service,dc=domain,dc=nl" credentials="U may guess" mode=none
Thanks for your help and answers
Regards,
Hendrik van der Ploeg Noordwijkerhout The Netherlands
On Tuesday, 22 March 2011 12:12:53 Hendrik van der Ploeg wrote:
ok thanks,
But how can I set the user in a seperate database to have access to a different database?
Use a separate local database with a suitable backend (e.g. hdb or
bdb).
Any "local" DN can appear in access control statements for any other database.
Here is one example (allowing "local" users in dc=ranger,dc=dnsalias,dc=com access to cn=config)
[bgmilne@tiger ~]$ ldapsearch -Q -LLL -b cn=config "(olcDatabase=config)" olcAccess dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none
[bgmilne@tiger ~]$ ldapwhoami -Q dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [bgmilne@tiger ~]$ ldapcompare -Q 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com TRUE
(BTW, please keep replies on-list, and while we're at it, try avoid unnecessary top-posting)
Regards, Buchan
openldap-technical@openldap.org
-
Buchan Milne -
Hendrik van der Ploeg