Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com". 1. The password field is empty -- it should hold a value 2. Entering a value, then pressing apply: "Error modifying 'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
Am Sun, 30 Jan 2011 23:36:13 +0100 schrieb Thomas Schweikle tps@vr-web.de:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
http://www.openldap.org/faq/data/cache/189.html http://www.openldap.org/faq/data/cache/52.html
-Dieter
Am 31.01.2011 08:29, schrieb Dieter Kluenter:
Am Sun, 30 Jan 2011 23:36:13 +0100 schrieb Thomas Schweikle tps@vr-web.de:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
Had found this, read it, but got no additional information out of it. I'd like to have access to the database for some people only. Mainly to reset passwords. I've tried. It did not work. I'd read the chapters in the admin manual. Didn't help. I am asking the list --- and I am redirected to these, already known documents. Doesn't help either.
I've found this, read it, modified it to match my data, imported it. And noticed it not changing anything. AFAIK i shall have access to change the password of existing users. In reality I do not even have access to read the password???
At the moment I am having: olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=adm,dc=example,dc=com" write by group.exact="cn=administrators,dc=example,dc=com" write by anonymous auth by self write by * none
cn=adm,dc=example,dc=com has write access to attributes, Members of group cn=administrators,dc=example,dc=com have write access, the one who is authenticated his cn has write access. Anonymous users can authenticate. All authenticated users may read. All non authenticated users do not have any access at all.
olcAccess: {1}to dn.base="" by * read
Anyone may read the tree from dn.base on.
olcAccess: {2}to * by dn="cn=adm,dc=example,dc=com" write by group.exact="cn=administrators,dc=example,dc=com" write by * read
cn=adm,dc=example,dc=com has write access, as have members of the group cn=administrators,dc=example,dc=com. All others have read access.
Seems this interpretation is wrong. How do I have to interpret it the correct way?
Am Mon, 31 Jan 2011 10:54:55 +0100 schrieb Thomas Schweikle tps@vr-web.de:
Am 31.01.2011 08:29, schrieb Dieter Kluenter:
Am Sun, 30 Jan 2011 23:36:13 +0100 schrieb Thomas Schweikle tps@vr-web.de:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
Had found this, read it, but got no additional information out of it. I'd like to have access to the database for some people only. Mainly to reset passwords. I've tried. It did not work. I'd read the chapters in the admin manual. Didn't help. I am asking the list --- and I am redirected to these, already known documents. Doesn't help either.
I've found this, read it, modified it to match my data, imported it. And noticed it not changing anything. AFAIK i shall have access to change the password of existing users. In reality I do not even have access to read the password???
At the moment I am having: olcAccess: {0}to attrs=userPassword,shadowLastChange,krbPrincipalKey by dn="cn=adm,dc=example,dc=com" write by group.exact="cn=administrators,dc=example,dc=com" write by anonymous auth by self write by * none
cn=adm,dc=example,dc=com has write access to attributes, Members of group cn=administrators,dc=example,dc=com have write access, the one who is authenticated his cn has write access. Anonymous users can authenticate. All authenticated users may read. All non authenticated users do not have any access at all.
olcAccess: {1}to dn.base="" by * read
This is access to rootdn, which is required to read the servers capabilities
Anyone may read the tree from dn.base on.
olcAccess: {2}to * by dn="cn=adm,dc=example,dc=com" write by group.exact="cn=administrators,dc=example,dc=com" write by * read
It is not quite clear whether this is supposed to be a global or a database specific access rule. It should be a database specific rule set. dn: olcDatabase=hdb,cn=config ... olcAccess:to dn.subtree=dc=example,dc=com by \ group/groupOfNames/member.exact=cn=administrators,dc=example,dc=com \ write by dn.exact=cn=adm,dc=example,dc=com write by users read
[...]
-Dieter
Thomas Schweikle wrote:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
The openldap server is unable to authenticate user1 unless user1 has a valid password. I assume that adm is your admin DN. Try to set an initial password for user1 with the adm account. And then verify that a search operation is successfull before trying to write.
In your acls you use "dc=example,dc=com" as suffix, but your real suffix is "dc=xompu,dc=de". Isn't it?
Am 31.01.2011 11:52, schrieb harry.jede@arcor.de:
Thomas Schweikle wrote:
Hi!
I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree:
I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com
in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read
Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com".
- The password field is empty -- it should hold a value
- Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1?
The openldap server is unable to authenticate user1 unless user1 has a valid password. I assume that adm is your admin DN. Try to set an initial password for user1 with the adm account. And then verify that a search operation is successfull before trying to write.
user1 has a password and is authenticated via kerberos. This is working as expected. A ticket is granted. There is no password within LDAP for this user.
user2 has no kerberos password and is authenticated via ldap. This is working as expected.
1. I can log in with both users. 2. I can view the database with both users. 3. I can't change password with any of the users, but this seems to be a bug introduced by ubuntu and pam configuration. Maybe it is a regression, since it has worked for some time in the past. 4. How do I set up a group of users to change and reset passwords for other users? It is not useful to do it - login to the server - sudo to root - export the user - edit the exported ldif to apply changes - use ldapmodify to apply the changes made This is lot to complicated and error frown. I'd like to use gq or something else (not web based) and I'd like to have additional users having the right to do it, not giving them my rootDN including password. Idealy these users would have to be authenticated by kerberos. As this would give an encripted connection to the ldap server.
In your acls you use "dc=example,dc=com" as suffix, but your real suffix is "dc=xompu,dc=de". Isn't it?
Both. One is my staging server, the other the one whom to go into production if I ever get it running!
openldap-technical@openldap.org
-
Dieter Kluenter -
harry.jede@arcor.de -
Thomas Schweikle