Sir,
I modified my settings and added the following group:
dn: cn=pwmanager,ou=Group,dc=mydomain,dc=com objectClass: posixGroup objectClass: top cn: pwmanager userPassword: {crypt}x gidNumber: 550 memberUid: l_luke memberUid: w_smith
I also modified my ACL in the slapd.conf:
access to attr=userPassword by self write by anonymous auth by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write by * none access to * by self write by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write by * read
I used the same command trying to change the user's password but received the exact same error. Would you please help? You mentioned that the nisNetgroup object doesn't fit in the ACL configuration in your previous reply. I had defined netgroups looked like the following:
dn: cn=Sales,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: Sales nisNetgroupTriple: (,c_parks,mydomain.com) nisNetgroupTriple: (,j_berryhill,mydomain.com) nisNetgroupTriple: (,b_chen,mydomain.com)
Would there be a way for me to use the netgroup and its members for any ACL type of access?
Your help will be highly appreciated!
----- Original Message ---- From: Pierangelo Masarati ando@sys-net.it To: Luke Lee leeluke77@yahoo.com Cc: openldap-technical@openldap.org Sent: Thursday, March 27, 2008 12:35:16 PM Subject: Re: OpenLDAP Group ACL
Hello,
I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.
I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword by self write by anonymous auth by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * none access to * by self write by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: ITgroup nisNetgroupTriple: (,l_luke,mydomain.com) nisNetgroupTriple: (,w_smith,mydomain.com) nisNetgroupTriple: (,g_baker,mydomain.com) description: Password Keepers
My user entry is:
# l_luke, People mydomain.com dn: uid=l_luke,ou=People,dc=mydomain,dc=com uid: l_luke cn: l_luke objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13958 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/l_luke gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!
As indicated in slapd.access(5), the member attribute must have either distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated from memberURL; it defaults to "member". It appears from your message that you expect "nisNetgroupTriple" to be used as member attribute, but you should specify that attribute in the ACL clause. However, "nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the above restrictions. You need to use LDAP groups for access control; nisNetGroup objects don't fit.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
____________________________________________________________________________________ Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Luke Lee wrote:
Sir,
I modified my settings and added the following group:
dn: cn=pwmanager,ou=Group,dc=mydomain,dc=com objectClass: posixGroup objectClass: top cn: pwmanager userPassword: {crypt}x gidNumber: 550 memberUid: l_luke memberUid: w_smith
I still don't see any DN-valued "member" attribute in your group. It's pointless to guarantee access based on "member" while you don't have any "member" value in your group. Until you don't fix (and understand) this (which is very basic LDAP) the server is behaving as expected and correctly denying you access.
p.
I also modified my ACL in the slapd.conf:
access to attr=userPassword by self write by anonymous auth by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write by * none access to * by self write by group/groupOfNames/member="cn=pwmanager,ou=Group,dc=mydomain,dc=com" write by * read
I used the same command trying to change the user's password but received the exact same error. Would you please help? You mentioned that the nisNetgroup object doesn't fit in the ACL configuration in your previous reply. I had defined netgroups looked like the following:
dn: cn=Sales,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: Sales nisNetgroupTriple: (,c_parks,mydomain.com) nisNetgroupTriple: (,j_berryhill,mydomain.com) nisNetgroupTriple: (,b_chen,mydomain.com)
Would there be a way for me to use the netgroup and its members for any ACL type of access?
Your help will be highly appreciated!
----- Original Message ---- From: Pierangelo Masarati ando@sys-net.it To: Luke Lee leeluke77@yahoo.com Cc: openldap-technical@openldap.org Sent: Thursday, March 27, 2008 12:35:16 PM Subject: Re: OpenLDAP Group ACL
Hello,
I'll appreciate it if any of you are willing to take time and share with me your experience with OpenLDAP running on a RedHat server configured with group ACL.
I'm trying to grant a group of people (including myself) the permission to change user LDAP passwords. However, when I try to change a user's LDAP password, I received the following message:
Result: Insufficient access (50)
The command that I used was:
ldappasswd -x -W -D "uid=l_luke,ou=Netgroup,dc=mydomain,dc=com" -S "uid=w_smith,ou=People,dc=mydomain,dc=com"
My ACL settings in the slapd.conf file are:
access to attr=userPassword by self write by anonymous auth by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * none access to * by self write by group.exact="cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com" write by * read
My netgroup has been defined as the following:
dn: cn=ITgroup,ou=Netgroup,dc=mydomain,dc=com objectClass: nisNetgroup objectClass: top cn: ITgroup nisNetgroupTriple: (,l_luke,mydomain.com) nisNetgroupTriple: (,w_smith,mydomain.com) nisNetgroupTriple: (,g_baker,mydomain.com) description: Password Keepers
My user entry is:
# l_luke, People mydomain.com dn: uid=l_luke,ou=People,dc=mydomain,dc=com uid: l_luke cn: l_luke objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 13958 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 10005 gidNumber: 10005 homeDirectory: /home/l_luke gecos: Luke Lee
Can anyone point me to the right direction or share with me the correct group ACL settings that you have? Thanks!
As indicated in slapd.access(5), the member attribute must have either distinguishedName syntax (or nameAndOptionalUID syntax) or be derivated from memberURL; it defaults to "member". It appears from your message that you expect "nisNetgroupTriple" to be used as member attribute, but you should specify that attribute in the ACL clause. However, "nisNetgroupTriple" wouldn't be allowed since it doesn't comply with the above restrictions. You need to use LDAP groups for access control; nisNetGroup objects don't fit.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
____________________________________________________________________________________Looking for last minute shopping deals? Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-technical@openldap.org
-
Luke Lee -
Pierangelo Masarati