Hi,
Could someone please give an example of .ldif for granting *read-only* access on all the directory to the user "cn=query,dc=example,dc=com"?
Kind regards,
Harri
--On Sunday, January 24, 2021 10:05 PM +0200 "Harri T." haba713@gmail.com wrote:
Hi,
Could someone please give an example of .ldif for granting *read-only* access on all the directory to the user "cn=query,dc=example,dc=com"?
I don't know what you mean by "an example of .ldif".
If it were slapd.conf, it would be something like:
database mdb suffix dc=example,dc=com
access to * by dn.exact="cn=query,dc=example,dc=com"
If it were a cn=config database, something like:
ldapmodify ... dn: olcDatabase={X}mdb,cn=config changetype: modify add: olcAccess olcAccess: {0}to * by dn.exact="cn=query,dc=example,dc=com"
You'd need to modify "X" to be the actual database containing the data you want it to have read access on. Additionally, since this does an insert to be access rule 0, no other access rules that may be in the database would be validated.
In both cases, this ACL would most likely not be useful since it would block simple (userPassword) authentication, meaning it would be impossible to authenticate to being the "cn=query,dc=example,dc=com" user since there is no anonymous auth access to userPassword.
A more useful set of ACLs might be something like:
-- slapd.conf -- access to userPassword by anonymous auth by self write by dn.exact="cn=query,dc=example,dc=com" read
access to * by dn.exact="cn=query,dc=example,dc=com" read
-- cn=config --
olcAccess: {0}to userPassword by anonymous auth by self write by dn.exact="cn=query,dc=example,dc=com" read olcAccess: {1}to * by dn.exact="cn=query,dc=example,dc=com" read
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 25.1.2021 23.28, Quanah Gibson-Mount wrote:
I don't know what you mean by "an example of .ldif".
Hi Quanah,
And thank you for the answer. I thought that .ldif [1] is a file format to be used with ldapmodify but maybe it is used only for modifying the directory contents and not for configuring slapd.
I'll try the examples you gave.
Kind regards,
Harri
[1] https://www.digitalocean.com/community/tutorials/how-to-use-ldif-files-to-ma...
--On Tuesday, January 26, 2021 5:11 PM +0200 "Harri T." haba713@gmail.com wrote:
On 25.1.2021 23.28, Quanah Gibson-Mount wrote:
I don't know what you mean by "an example of .ldif".
Hi Quanah,
And thank you for the answer. I thought that .ldif [1] is a file format to be used with ldapmodify but maybe it is used only for modifying the directory contents and not for configuring slapd.
I'll try the examples you gave.
OpenLDAP can be configured one of two ways:
a) Via the static slapd.conf method (deprecated) b) Via the cn=config database
You never stated which you were using. The first method (a) requires updates via a text editor or similar. The second method (b) can be updated via ldapmodify on an LDIF formatted file.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
On 26.1.2021 19.31, Quanah Gibson-Mount wrote:
OpenLDAP can be configured one of two ways:
a) Via the static slapd.conf method (deprecated) b) Via the cn=config database
You never stated which you were using. The first method (a) requires updates via a text editor or similar. The second method (b) can be updated via ldapmodify on an LDIF formatted file.
We have b). I try to get this done with ldapmodify.
Harri
openldap-technical@openldap.org
-
Harri T. -
Quanah Gibson-Mount