Addendum :
Ldap is up and running with my configuration :
[root@ldap2]# ps auxwww | grep slapd ldap 17190 0.0 1.1 426480 44384 ? Ssl Nov14 0:05 /usr/sbin/slapd -h ldap:/// -u ldap
And the directory sounds to respond exactly as I wish to usual queries.
However, here is a slapcat output :
[root@ldap2]/usr/sbin/slapcat -F /etc/openldap/slapd.d -l ldap-conf.ldif
PROXIED attributeDescription "OU" inserted. PROXIED attributeDescription "DC" inserted. olcSyncrepl: value #0: rootDN must be defined before syncrepl may be used config error processing olcDatabase={1}bdb,cn=config: rootDN must be defined before syncrepl may be used slapcat: bad configuration directory!
I checked and that's true that the synchronisation doesn't work properly anymore.
I had to reinserted this to have everything working well :
dn: olcDatabase={1}bdb,cn=config OlcrootDN cn=Manager,dc=example,dc=fr
( no need for OlcrootPW)
-- Olivier
On Mon, Nov 14, 2011 at 5:15 PM, Olivier Guillard olivier@guillard.nom.fr wrote:
Hi there,
I would like to have your feeling or advices about the following acl strategy for ldap administration issues (cn=config and actual directory administration). I have tested that and it sounds to work properly :
My idea is to create two groups of people : one for those that administrates accounts in the directory, and another for those that are able to tune "cn=config"
Basically, I have the following DIT : cn=config and dn: dc=example,dc=fr
I have then created two "groupOfnames" (admin-ldap and admin-dir) and tuned ACL so that : directory admins can modify accounts and ldap admins can modify "slapd.d"
I also have removed RootDN as well as RootPW both in : olcDatabase={0}config,cn=config as well as in olcDatabase={1}bdb,cn=config
so that maintenance operation are not performed as "RootDN" anymore.
ANY REACTIONS OR ADVICES ON THAT ?
HARE IS HOW I HAVE TUNED THAT :
# Entries for the two groupofnames :
dn: cn=admin-dir,ou=system,dc=example,dc=fr cn: admin-dir member: uid=guillard,ou=people,dc=example,dc=fr member: uid=foo,ou=people,dc=example,dc=fr member: uid=shmol,ou=people,dc=example,dc=fr objectclass: groupOfNames objectclass: top
dn: cn=admin-ldap,ou=system,dc=example,dc=fr cn: admin-ldap member: uid=guillard,ou=staff,ou=people,dc=example,dc=fr member: uid=pick,ou=staff,ou=people,dc=example,dc=fr objectclass: groupOfNames objectclass: top
### ACL :
dn: olcDatabase={0}config,cn=config objectclass: olcDatabaseConfig olcaccess: {0}to * by group.exact="cn=admin-ldap,ou=system,dc=example ,dc=fr" write by * none ...
### And :
dn: olcDatabase={1}bdb,cn=config objectclass: olcDatabaseConfig objectclass: olcBdbConfig ... olcaccess: {0}to dn.base="dc=example,dc=fr" by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write by group.exact="cn=admin-dir,ou=system,dc=example,dc=fr" read by dn.base="cn=replication,ou=system,dc=example,dc=fr" read by * search olcaccess: {1}to dn.one="dc=example,dc=fr" by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write by group.exact="cn=admin-dir,ou=system,dc=example,dc=fr" read by dn.base="cn=replicator,ou=system,dc=example,dc=fr" read by users search by anonymous auth
### then : olcaccess: {2}to dn.subtree="ou=system,dc=example,dc=fr" by group.exact="cn=admin-ldap,ou=system,dc=example,dc=fr" write by dn.base="cn=replicator,ou=system,dc=example,dc=fr" read by * none
### and : olcaccess: {3}to dn.subtree="dc=example,dc=fr" attrs=userPassword,shadowLastChange,loginShell by group.exact="cn=admin-annuaire,ou=system,dc=example,dc=fr" write by self write by dn.base="cn=replicator,ou=system,dc=example,dc=fr" read by users auth by anonymous auth
### finally : olcaccess: {4}to dn.subtree="dc=example,dc=fr" by group.exact="cn=admin-annuaire,ou=system,dc=example,dc=fr" write by dn.base="cn=replicator,ou=system,dc=example,dc=fr" read by users read by anonymous read
openldap-technical@openldap.org
-
Olivier