Igor,
Igor Shmukler schrieb (20.03.2015 11:21 Uhr):
Unfortunately, your email does not clear anything, FOR ME. It does not mean you are not 100% correct. I am just slow, I guess. Sorry.
do simple things first! Do more complex things later!
- Configure a rootdn with rootpw for each database. Use this to authenticate to slapd und modify things. This works? Fine, go on. - Create a user entry inside your DIT. Use this entry as rootdn. This works? Fine, go on. - Map this user entry from your local unix user with olcAuthzRegexp to use with ldapi and EXTERNAL. This works? Fine, go on. - or make your first steps with ACLs and another user entry.
I don't see why/how Michael's suggestion with olcAuthzRegexp could work. The way that could have worked - multiple remaps, different for each database is not allowed.
Read again what Michael said: "authz-regexp is a global configuration option."
The one permitted - inside config database, as far as I understand, does not do what I need.
Do you need multiple mappings? As you are one user on your system, this maps to one user in ldap with olcAuthzRegexp. As Micheal already posted:
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
Marc
Marc,
- Configure a rootdn with rootpw for each database. Use this to authenticate to slapd und modify things. This works? Fine, go on.
Been working for a while
- Create a user entry inside your DIT. Use this entry as rootdn. This works? Fine, go on.
- Map this user entry from your local unix user with olcAuthzRegexp to use with ldapi and EXTERNAL. This works? Fine, go on.
I am with you.
- or make your first steps with ACLs and another user entry.
What do I do here?
Do you need multiple mappings?
I understand that config database would allow me to have unto fifty mapping. I just don't understand those could work for my need.
As you are one user on your system, this maps to one user in ldap with olcAuthzRegexp. As Micheal already posted:
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
I don't understand how this COULD work. Please explain why admin in DIT 1 would have manage right to DIT 2.
Sincerely,
Igor Shmukler
Igor,
Igor Shmukler schrieb (20.03.2015 11:59 Uhr):
- or make your first steps with ACLs and another user entry.
What do I do here?
read about ACL in the man pages and the admin guide!?
Do you need multiple mappings?
I understand that config database would allow me to have unto fifty mapping. I just don't understand those could work for my need.
As you are one user on your system, this maps to one user in ldap with olcAuthzRegexp. As Micheal already posted:
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
I don't understand how this COULD work. Please explain why admin in DIT 1 would have manage right to DIT 2.
He don't have to! But he can.
Go back to:
- Configure a rootdn with rootpw for each database. Use this to authenticate to slapd und modify things. This works? Fine, go on. - Create a user entry inside your DIT _for every database admin you want_. Use _these entries_ as rootdn (one per database!). This works? Fine, go on. - Delete the rootdn from config and make the user entry admin by an ACL.
Marc
Marc,
Thank you for explanations. I appreciate your time. I also appreciate people on list have given me, including Michael, Ferenc and others. I don't even recall everyone's name. I am thinking about giving up, though.
I even have hard time understanding your messages, let alone OpenLDAP configuration steps.
I do have entries for each database. If my suffix is, for example dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org Administrators have manage access to their databases. This part is working fine. I add and remove records as needed. You also wrote one per database - this is exactly what I have. Unfortunately, despite all the help, I don't see how this is relevant.
The advice to read documentation is great. In fact, i never hurt.
I am happy to offer a bounty to person who can configure this. I need to keep my setup with one config databases with multiple DITs. I need each DIT database to work as today - be managed by an authenticated local/suffix root user. I need a way to alter records in any/every DIT database using another root - one that would work on ALL DITs. If someone could do this before Sunday morning, please contact me to discuss compensation. If I don't get to a result by Sunday morning, I have to start changing the architecture so I can show something on Monday. :)
Sincerely,
Igor Shmukler
On Fri, Mar 20, 2015 at 1:09 PM, Marc Patermann hans.moser@ofd-z.niedersachsen.de wrote:
Igor,
Igor Shmukler schrieb (20.03.2015 11:59 Uhr):
- or make your first steps with ACLs and another user entry.
What do I do here?
read about ACL in the man pages and the admin guide!?
Do you need multiple mappings?
I understand that config database would allow me to have unto fifty mapping. I just don't understand those could work for my need.
As you are one user on your system, this maps to one user in ldap with olcAuthzRegexp. As Micheal already posted:
authz-regexp "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=root,dc=example,dc=com"
uid 0 (from your system) maps to ldap entry cn=root,dc=example,dc=com.
I don't understand how this COULD work. Please explain why admin in DIT 1 would have manage right to DIT 2.
He don't have to! But he can.
Go back to:
- Configure a rootdn with rootpw for each database. Use this to authenticate to slapd und modify things. This works? Fine, go on.
- Create a user entry inside your DIT _for every database admin you want_. Use _these entries_ as rootdn (one per database!). This works? Fine, go on.
- Delete the rootdn from config and make the user entry admin by an ACL.
Marc
Igor,
Igor Shmukler schrieb (20.03.2015 12:22 Uhr):
I do have entries for each database. If my suffix is, for example dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org Administrators have manage access to their databases. This part is working fine. I add and remove records as needed. You also wrote one per database - this is exactly what I have. Unfortunately, despite all the help, I don't see how this is relevant.
I thought, this is what you want!?
The advice to read documentation is great. In fact, i never hurt.
I am happy to offer a bounty to person who can configure this. I need to keep my setup with one config databases with multiple DITs.
This is the basic standard. You only have one config database. And one or more data databases.
I need each DIT database to work as today
whatever this is ...
- be managed by an authenticated local/suffix root user.
one user per database was what I talked about. one admin/manange/root user for all databases is even simpler: just use the same user in all your databases.
What you cannot do (IMHO), is mapping _one_ system user to _many_ ldap users. But I don't think this is necessary.
I need a way to alter records in any/every DIT database using another root - one that would work on ALL DITs.
Use ACL!
If someone could do this before Sunday morning, please contact me to discuss compensation. If I don't get to a result by Sunday morning, I have to start changing the architecture so I can show something on Monday. :)
Good luck with that!
Marc
Hi Marc,
Thank you for reading my thread and trying to help.
I do have entries for each database. If my suffix is, for example dc=test,dc=org, administrator would be cn=admin,dc=test,dc=org Administrators have manage access to their databases. This part is working fine. I add and remove records as needed. You also wrote one per database - this is exactly what I have. Unfortunately, despite all the help, I don't see how this is relevant.
I thought, this is what you want!?
I want it, and it is working fine. This is however not ALL that I want.
This is the basic standard. You only have one config database. And one or more data databases.
You are obviously correct. Even I know this, by now.
I need each DIT database to work as today
whatever this is ...
- be managed by an authenticated local/suffix root user.
one user per database was what I talked about. one admin/manange/root user for all databases is even simpler: just use the same user in all your databases.
What you cannot do (IMHO), is mapping _one_ system user to _many_ ldap users. But I don't think this is necessary.
Right, I also think that we cannot map one user to many because mapping is done at config level, and there is one config per server. This was my point.
I need a way to alter records in any/every DIT database using another root - one that would work on ALL DITs.
Use ACL!
Makes sense. I just don't know how to get ACLs to work, nor does anyone else.
If someone could do this before Sunday morning, please contact me to discuss compensation. If I don't get to a result by Sunday morning, I have to start changing the architecture so I can show something on Monday. :)
Good luck with that!
Thank you. I need it. Otherwise, I will have to do a huge rewrite on Sunday. I would rather not have to do the marathon thing.
Sincerely,
Igor Shmukler
Igor Shmukler schrieb (20.03.2015 13:43 Uhr):
I need a way to alter records in any/every DIT database using another root - one that would work on ALL DITs.
Use ACL!
Makes sense. I just don't know how to get ACLs to work, nor does anyone else.
be the first, read the docs!
openldap-technical@openldap.org