Hi,
here is my scenario:
dn: dc=mycompany,dc=hu
dn: ou=ABC Customer,dc=mycompany,dc=hu +- dn: cn=group1abc,ou=ABC Customer,dc=mycompany,dc=hu +- dn: cn=group2abc,ou=ABC Customer,dc=mycompany,dc=hu +- dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu +- dn: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu +- dn: uid=user2,ou=ABC Customer,dc=mycompany,dc=hu
dn: ou=XYZ Customer,dc=mycompany,dc=hu +- dn: cn=group1xyz,ou=XYZ Customer,dc=mycompany,dc=hu +- dn: cn=group2xyz,ou=XYZ Customer,dc=mycompany,dc=hu +- dn: uid=user1,ou=XYZ Customer,dc=mycompany,dc=hu +- dn: uid=user2,ou=XYZ Customer,dc=mycompany,dc=hu ...
the cn=groupabcadmin,ou=ABC Customer node above looks like this:
dn: cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu objectClass: groupOfNames cn: groupabcadmin member: uid=user1,ou=ABC Customer,dc=mycompany,dc=hu
I'ld like to set up, that the all member of cn=groupabcadmin group, now the "uid=user1,ou=ABC Customer",... user can write the db (add, modify, delete) under his own OU, specially the ou=ABC Customer,dc=mycompany,dc=hu.
I've found this example: http://www.openldap.org/faq/data/cache/52.html
Now the config looks like this:
dn: olcDatabase={1}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=mycompany,dc=hu olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth olcLastMod: TRUE
The uid=user1 user password is right, I can read with it from DB. But when I would like to add a new user, I've got:
ldap_add: Insufficient access (50) additional info: no write access to parent
and in log:
Oct 11 17:03:16 open-ldap slapd[25821]: mdb_dn2entry("uid=user2,ou=abc customer,dc=mycompany,dc=hu") Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_dn2id("uid=user2,ou=abc customer,dc=mycompany,dc=hu") Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) Oct 11 17:03:16 open-ldap slapd[25821]: => mdb_entry_decode: Oct 11 17:03:16 open-ldap slapd[25821]: <= mdb_entry_decode Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: add access to "ou=ABC Customer,dc=mycompany,dc=hu" "children" requested Oct 11 17:03:16 open-ldap slapd[25821]: => dn: [2] Oct 11 17:03:16 open-ldap slapd[25821]: => acl_get: [3] attr children Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: access to entry "ou=ABC Customer,dc=mycompany,dc=hu", attr "children" requested Oct 11 17:03:16 open-ldap slapd[25821]: => acl_mask: to all values by "uid=user1,ou=abc customer,dc=mycompany,dc=hu", (=0) Oct 11 17:03:16 open-ldap slapd[25821]: <= check a_dn_pat: * Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] applying read(=rscxd) (stop) Oct 11 17:03:16 open-ldap slapd[25821]: <= acl_mask: [1] mask: read(=rscxd) Oct 11 17:03:16 open-ldap slapd[25821]: => slap_access_allowed: add access denied by read(=rscxd) Oct 11 17:03:16 open-ldap slapd[25821]: => access_allowed: no more rules Oct 11 17:03:16 open-ldap slapd[25821]: mdb_add: no write access to parent Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: conn=1208 op=1 p=3 Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_result: err=50 matched="" text="no write access to parent" Oct 11 17:03:16 open-ldap slapd[25821]: send_ldap_response: msgid=2 tag=105 err=50 Oct 11 17:03:16 open-ldap slapd[25821]: conn=1208 op=1 RESULT tag=105 err=50 text=no write access to parent
What do I miss?
Thanks,
a.
Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
The rule {2} catches all requests (to * by *) so rule {3} is never applied.
You can do :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * none olcAccess: {3}to * by * read
Hi Clément,
thanks for your help,
On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
The rule {2} catches all requests (to * by *) so rule {3} is never applied.
You can do :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * none olcAccess: {3}to * by * read
whit these rules, I could't read with anonymous nor authenticated user from the DB, only the self record.
So, I've modified your idea like this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth olcAccess: {3}to * by * read
Whith this rules, I can modify the user attributes, except the userPassword.
But after the modificítion (on master node), de slave can't replicates the new entries...
Without rule {2}, the slave works as well with repuser dn.
What did I made badly?
Thanks,
a.
Le 12/10/2017 à 16:39, Ervin Hegedüs a écrit :
Hi Clément,
thanks for your help,
On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
Le 11/10/2017 à 17:31, Ervin Hegedüs a écrit :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by * read olcAccess: {3}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * auth
The rule {2} catches all requests (to * by *) so rule {3} is never applied.
You can do :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * none olcAccess: {3}to * by * read
whit these rules, I could't read with anonymous nor authenticated user from the DB, only the self record.
So, I've modified your idea like this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth olcAccess: {3}to * by * read
Whith this rules, I can modify the user attributes, except the userPassword.
But after the modificítion (on master node), de slave can't replicates the new entries...
Without rule {2}, the slave works as well with repuser dn.
What did I made badly?
Just add by dn="uid=repuser,dc=mycompany,dc=hu" read in rule {2}
Clément.
Hi Clément,
On Thu, Oct 12, 2017 at 05:01:54PM +0200, Clément OUDOT wrote:
So, I've modified your idea like this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth olcAccess: {3}to * by * read
Whith this rules, I can modify the user attributes, except the userPassword.
But after the modificítion (on master node), de slave can't replicates the new entries...
Without rule {2}, the slave works as well with repuser dn.
What did I made badly?
Just add by dn="uid=repuser,dc=mycompany,dc=hu" read in rule {2}
no luck - the replication doesn't work:
Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword) Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: auth access to "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu" "userPassword" requested Oct 12 17:29:51 open-ldap slapd[31421]: => acl_get: [1] attr userPassword Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu", attr "userPassword" requested Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: to value by "", (=0) Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 12 17:29:51 open-ldap slapd[31421]: <= acl_mask: [2] applying auth(=xd) (stop) Oct 12 17:29:51 open-ldap slapd[31421]: <= acl_mask: [2] mask: auth(=xd) Oct 12 17:29:51 open-ldap slapd[31421]: => slap_access_allowed: auth access granted by auth(=xd) Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: auth access granted by auth(=xd) Oct 12 17:29:51 open-ldap slapd[31421]: => mdb_entry_get: found entry: "uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu" Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: search access to "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu" "objectClass" requested Oct 12 17:29:51 open-ldap slapd[31421]: => dn: [2] Oct 12 17:29:51 open-ldap slapd[31421]: => dn: [3] ou=abc customer,dc=mycompany,dc=hu Oct 12 17:29:51 open-ldap slapd[31421]: => acl_get: [3] matched Oct 12 17:29:51 open-ldap slapd[31421]: => acl_get: [3] attr objectClass Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu", attr "objectClass" requested Oct 12 17:29:51 open-ldap slapd[31421]: => acl_mask: to all values by "uid=repuser,dc=mycompany,dc=hu", (=0) Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_group_pat: cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu Oct 12 17:29:51 open-ldap slapd[31421]: => mdb_entry_get: found entry: "cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu" Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 12 17:29:51 open-ldap slapd[31421]: <= check a_dn_pat: uid=repuser,dc=mycompany,dc=hu Oct 12 17:29:51 open-ldap slapd[31421]: <= acl_mask: no more <who> clauses, returning =0 (stop) Oct 12 17:29:51 open-ldap slapd[31421]: => slap_access_allowed: search access denied by =0 Oct 12 17:29:51 open-ldap slapd[31421]: => access_allowed: no more rules
rules:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read
Thanks,
a.
Le 12/10/2017 à 17:32, Ervin Hegedüs a écrit :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read
What is the DN of your replication user? Here you have one in dc=core,dc=hdt,dc=hu and the other in dc=mycompany,dc=hu. Just set read right to the appropriate user
Hi,
sorry for the late answer,
On Thu, Oct 12, 2017 at 04:39:45PM +0200, Ervin Hegedüs wrote:
On Thu, Oct 12, 2017 at 09:16:24AM +0200, Clément OUDOT wrote:
[...]
You can do :
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by * none olcAccess: {3}to * by * read
[...]
So, I've modified your idea like this:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=mycompany,dc=hu" read by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.children="ou=ABC Customer,dc=mycompany,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=mycompany,dc=hu" write by self write by anonymous auth olcAccess: {3}to * by * read
Whith this rules, I can modify the user attributes, except the userPassword.
But after the modificítion (on master node), de slave can't replicates the new entries...
here are the loglines:
Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: result not in cache (userPassword) Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access to "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu" "userPassword" requested Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [1] attr userPassword Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu", attr "userPassword" requested Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to value by "", (=0) Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] applying auth(=xd) (stop) Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: [2] mask: auth(=xd) Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: auth access granted by auth(=xd) Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: auth access granted by auth(=xd) Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry: "uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu" Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: search access to "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu" "objectClass" requested Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [2] Oct 12 16:49:11 open-ldap slapd[31421]: => dn: [3] ou=abc customer,dc=mycompany,dc=hu Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] matched Oct 12 16:49:11 open-ldap slapd[31421]: => acl_get: [3] attr objectClass Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: access to entry "uid=abc_airween,ou=ABC Customer,dc=mycompany,dc=hu", attr "objectClass" requested Oct 12 16:49:11 open-ldap slapd[31421]: => acl_mask: to all values by "uid=repuser,dc=mycompany,dc=hu", (=0) Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_group_pat: cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu Oct 12 16:49:11 open-ldap slapd[31421]: => mdb_entry_get: found entry: "cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu" Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: self Oct 12 16:49:11 open-ldap slapd[31421]: <= check a_dn_pat: anonymous Oct 12 16:49:11 open-ldap slapd[31421]: <= acl_mask: no more <who> clauses, returning =0 (stop) Oct 12 16:49:11 open-ldap slapd[31421]: => slap_access_allowed: search access denied by =0 Oct 12 16:49:11 open-ldap slapd[31421]: => access_allowed: no more rules
where: * uid=abc_user1,ou=ABC Customer,dc=mycompany,dc=hu is the admin user, who wants to execute the request; it's member of cn=groupabcadmin,ou=abc customer,dc=mycompany,dc=hu * uid=abc_airween,ou=abc customer,dc=mycompany,dc=hu is the OU user, they data could be modified * uid=repuser,dc=mycompany,dc=hu is the replicator user
Thanks,
a.
Ervin Hegedüs wrote:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write
Additional side notes regarding this ACL above (which is often used in tutorials):
1. You should use slapo-ppolicy instead of deprecated 'shadowLastChange' attribute to enforce password expiry.
2. With this ACL the user can extend the password validity period himself which renders password expiry ineffective.
Ciao, Michael.
Hi Michael,
On Thu, Oct 12, 2017 at 10:34:09PM +0200, Michael Ströder wrote:
Ervin Hegedüs wrote:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write
Additional side notes regarding this ACL above (which is often used in tutorials):
- You should use slapo-ppolicy instead of deprecated 'shadowLastChange'
attribute to enforce password expiry.
thanks - I'm relative "new" (recurrent after many years) in OpenLDAP. Most concept is very new for me, especially this one above (slapo-ppolicy).
I have to read the related documentation.
- With this ACL the user can extend the password validity period
himself which renders password expiry ineffective.
good catch, I'll review the rules again tomorrow.
Thanks again!
a.
openldap-technical@openldap.org
-
Clément OUDOT -
Ervin Hegedüs -
Michael Ströder