2:05 a.m.
Hello,
I manage all my users with LDAP.
I would like to build the following reading rules:
1. only admin can change passwords, authenticated users read and anonymous do nothing
2. Authenticated users access the database but can only read their account but not the
rest
3. the group ou = system-read can read the whole database
4. the group ou = system-write can write in ou = ent
5. Anonymous access is forbidden
My LDIF file :
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by
dn="cn=admin,dc=example,dc=fr" write by * auth
olcAccess: {1}to dn.base="" by self write by
dn="ou=system-read,dc=example,dc=fr" read by * auth
olcAccess: {2}to dn.subtree="ou=ent,dc=example,dc=fr" by self write by
dn="ou=system-write,dc=example,dc=fr" write by * none
olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=fr" write by *
none
I have a lot of trouble with ACLs, I can not do what I want with. Thank you for your help.
Florent
1:56 a.m.
Bonjour Florent,
(sorry I answer just this in Freanch : easier to me 🙂 Les ACL s'arrêtent au premier
match. Il faut donc mettre les droits des user sconcernés pour chaque ACL).
Here a franch link : https://www.vincentliefooghe.net/content/les-acl-dans-openldap
Here an example :
access to attrs=userPassword
by dn.exact="cn=admin,dc=example,dc=fr" write
by users auth
by anonymous auth
by * none
access to dn.subtree="the_place_you_want"
by dn="ou=system-write,dc=example,dc=fr" write
by dn="ou=system-read,dc=example,dc=fr" read
by users read
access to dn.subtree="ou=ent,dc=example,dc=fr"
by self write
by dn="ou=system-read,dc=example,dc=fr" read
by dn="ou=system-write,dc=example,dc=fr" write
by * none
Another way very interesting is to use "break" and "continue"
keyword.
________________________________
De : openldap-technical <openldap-technical-bounces(a)openldap.org> de la part de
Florent Vallée <florent.vallee(a)insa-cvl.fr>
Envoyé : lundi 20 mai 2019 11:05
À : openldap-technical
Objet : OPEN LDAP ACL
Hello,
I manage all my users with LDAP.
I would like to build the following reading rules:
1. only admin can change passwords, authenticated users read and anonymous do nothing
2. Authenticated users access the database but can only read their account but not the
rest
3. the group ou = system-read can read the whole database
4. the group ou = system-write can write in ou = ent
5. Anonymous access is forbidden
My LDIF file :
dn: olcDatabase={1}mdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword by self write by
dn="cn=admin,dc=example,dc=fr" write by * auth
olcAccess: {1}to dn.base="" by self write by
dn="ou=system-read,dc=example,dc=fr" read by * auth
olcAccess: {2}to dn.subtree="ou=ent,dc=example,dc=fr" by self write by
dn="ou=system-write,dc=example,dc=fr" write by * none
olcAccess: {3}to * by self write by dn="cn=admin,dc=example,dc=fr" write by *
none
I have a lot of trouble with ACLs, I can not do what I want with. Thank you for your
help.
Florent
2:41 p.m.
--On Tuesday, May 21, 2019 9:56 AM +0000 Olivier - <piwako(a)outlook.fr>
wrote:
Bonjour Florent,
(sorry I answer just this in Freanch : easier to me p Les ACL
s'arrêtent au premier match. Il faut donc mettre les droits des user
sconcernés pour chaque ACL).
Here a franch link :
https://www.vincentliefooghe.net/content/les-acl-dans-openldap
Here an example :
access to attrs=userPassword
by dn.exact="cn=admin,dc=example,dc=fr" write
by users auth
by anonymous auth
by * none
That should be "by users read", not "by users auth" as per their
stated
requirements. I would note that this ACL would be problematic in a
replicated environment unless the "cn=admin,dc=example,dc=fr" DN is also
used for replication.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
11:37 p.m.
--On Tuesday, May 21, 2019 3:41 PM -0700 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
> Here an example :
>
>
>
> access to attrs=userPassword
>
> by dn.exact="cn=admin,dc=example,dc=fr" write
>
> by users auth
>
> by anonymous auth
>
> by * none
That should be "by users read", not "by users auth" as per their
stated
requirements. I would note that this ACL would be problematic in a
replicated environment unless the "cn=admin,dc=example,dc=fr" DN is also
used for replication.
Additionally, I'm guessing what is really desired is "by self read" rather
than "by users read", as the latter would allow any authenticated DN to
read the userPassword value of any entry in the DB.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
1401
days inactive
1403
days old
openldap-technical@openldap.org
3 comments
3 participants
participants (3)
-
Florent Vallée -
Olivier - -
Quanah Gibson-Mount