Hi Sorry for the banal question I created an acl for a group whose members have full access to OpenLDAP.
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to attrs=userPassword by self write by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com" write by anonymous auth by * none olcAccess: to * by self write by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com write by * read
But members of this group didn't get full access. Please tell me what I did wrong ?
--On Tuesday, August 11, 2020 1:55 PM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com write
You're missing an end quote.
group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com" <-----
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks. I fixed
dn: olcDatabase={1}mdb,cn=config changetype: modify replace: olcAccess olcAccess: to attrs=userPassword by self write by group.exact="cn=ldap_admins,ou=Groups,dc=wildberries,dc=ru" write by anonymous auth by * none olcAccess: to * by self write by group.exact="cn=ldap_admins,ou=Groups,dc=wildberries,dc=ru" write by * read
and applied on another OpenLDAP ldapmodify -Y EXTERNAL -H ldapi:/// -f acladm.ldif
However, a member of the ldap_admins group does not have full access.
If you don't mind, can you help ? 1) is the acl correct ? 2) Is it possible to make an acl for POSIX group in a different way ?[cid:9AE1E1EF-84EE-499C-B664-8834BBAA23B7] 11 авг. 2020 г., в 18:45, Quanah Gibson-Mount <quanah@symas.commailto:quanah@symas.com> написал(а):
--On Tuesday, August 11, 2020 1:55 PM +0000 Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.rumailto:Kleusov.Vladimir@wildberries.ru> wrote:
by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com write
You're missing an end quote.
group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com" <-----
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, August 12, 2020 9:56 AM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
- Is it possible to make an acl for POSIX group in a different way ?
OpenLDAP ACLs deal with LDAP groups, not posix groups.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks.I deleted the posix group and created it like this [cid:CA638237-D248-430B-A371-9EB7B7DC6FB8]
But user test still doesn't have full rights. What might be the problem ?
12 авг. 2020 г., в 18:14, Quanah Gibson-Mount <quanah@symas.commailto:quanah@symas.com> написал(а):
--On Wednesday, August 12, 2020 9:56 AM +0000 Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.rumailto:Kleusov.Vladimir@wildberries.ru> wrote:
2) Is it possible to make an acl for POSIX group in a different way ?
OpenLDAP ACLs deal with LDAP groups, not posix groups.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Wednesday, August 12, 2020 4:31 PM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
Thanks.I deleted the posix group and created it like this [Image: ""]
But user test still doesn't have full rights. What might be the problem ?
That's not an LDAP group. LDAP groups use the groupOfNames objectClass and have member attributes. The member attribute contains the full DN of the entries that are members.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Sorry Please explain the group in the picture in the previous email cn ldap_admins
member uid=test,ou=Users,dc=domain,dc=com
objectClass groupOfNames
12 авг. 2020 г., в 18:40, Quanah Gibson-Mount <quanah@symas.commailto:quanah@symas.com> написал(а):
That's not an LDAP group. LDAP groups use the groupOfNames objectClass and have member attributes. The member attribute contains the full DN of the entries that are members.
--On Wednesday, August 12, 2020 5:24 PM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
Sorry Please explain the group in the picture in the previous email cn ldap_admins
member uid=test,ou=Users,dc=domain,dc=com
Hi,
Don't send images of textual data. Additionally your graphic doesn't show the DN of the group, so there's no way to map it to the ACLs you provided.
Provide actual text data of the entries in question (the group and the user) in addition to the current ACLs.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Hi I send it along with commands and results
ldapsearch -x -b "cn=ldap_admins,ou=Groups,dc=domain,dc=com" -H ldapi:///
# ldap_admins, Groups, domain.comhttp://domain.com dn: cn=ldap_admins,ou=Groups,dc=domain,dc=com objectClass: groupOfNames cn: ldap_admins member: uid=test,ou=Users,dc=domain,dc=com
ldapsearch -x -b "cn=test,ou=Users,dc=domain,dc=com" -H ldapi:///
# test, Users, domain.comhttp://domain.com dn: cn=test,ou=Users,dc=domain,dc=com objectClass: posixAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person homeDirectory: /home/test loginShell: /bin/bash uid: test cn: test uidNumber: 10000 gidNumber: 10000 sn: test
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config 'olcDatabase={1}mdb'
olcAccess: {0}to attrs=userPassword by self write by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com" write by anonymous auth by * none olcAccess: {1}to * by self write by group.exact="cn=ldap_admins,ou=Groups,dc=domain,dc=com" write by * read
12 авг. 2020 г., в 19:35, Quanah Gibson-Mount <quanah@symas.commailto:quanah@symas.com> написал(а):
--On Wednesday, August 12, 2020 5:24 PM +0000 Клеусов Владимир Сергеевич <Kleusov.Vladimir@wildberries.rumailto:Kleusov.Vladimir@wildberries.ru> wrote:
Sorry Please explain the group in the picture in the previous email cn ldap_admins
member uid=test,ou=Users,dc=domain,dc=com
Hi,
Don't send images of textual data. Additionally your graphic doesn't show the DN of the group, so there's no way to map it to the ACLs you provided.
Provide actual text data of the entries in question (the group and the user) in addition to the current ACLs.
--Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
--On Thursday, August 13, 2020 9:31 AM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
member: uid=test,ou=Users,dc=domain,dc=com dn: cn=test,ou=Users,dc=domain,dc=com
Study the above. It's pretty clear what the problem is. ;)
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Thanks. If I think logically ) The member attribute requires the full dn of the group member, not the uid
13 авг. 2020 г., в 18:28, Quanah Gibson-Mount quanah@symas.com написал(а):
--On Thursday, August 13, 2020 9:31 AM +0000 Клеусов Владимир Сергеевич Kleusov.Vladimir@wildberries.ru wrote:
member: uid=test,ou=Users,dc=domain,dc=com dn: cn=test,ou=Users,dc=domain,dc=com
Study the above. It's pretty clear what the problem is. ;)
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
openldap-technical@openldap.org
-
Quanah Gibson-Mount -
Клеусов Владимир Сергее вич -
Клеусов Владимир Сергеевич