11:06 a.m.
--On Thursday, October 12, 2017 6:32 PM +0200 Ervin Hegedüs
<airween(a)gmail.com> wrote:
rules:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by
self write by group.exact="cn=groupabcadmin,ou=ABC
Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by
dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read
Your olcAccess: {1} value does not belong in your back-MDB database. That
rule goes in the {-1}frontend,cn=config portion of the database as a global
access rule. You probably also want a rule that reads:
to dn.base="cn=subschema" by * read
in the {-1}frontend,cn=config database as well.
So for your back-mdb database, what one would expect is more something like:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC
Customer,dc=core,dc=hdt,dc=hu" write by
dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {2}to * by * read
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
12:50 p.m.
New subject: Admin roles by group membership per OU
Hi folks,
many-many thanks for your helps,
On Thu, Oct 12, 2017 at 11:06:00AM -0700, Quanah Gibson-Mount wrote:
--On Thursday, October 12, 2017 6:32 PM +0200 Ervin Hegedüs
<airween(a)gmail.com> wrote:
>rules:
>
>olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
>anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
>olcAccess: {1}to dn.base="" by * read
>olcAccess: {2}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by
>self write by group.exact="cn=groupabcadmin,ou=ABC
>Customer,dc=core,dc=hdt,dc=hu" write by self write by anonymous auth by
>dn="uid=repuser,dc=mycompany,dc=hu" read olcAccess: {3}to * by * read
Your olcAccess: {1} value does not belong in your back-MDB database. That
rule goes in the {-1}frontend,cn=config portion of the database as a global
access rule.
what does it reveal? This rule comes with the default
installation...
You probably also want a rule that reads:
to dn.base="cn=subschema" by * read
the frontend config is this:
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
in the {-1}frontend,cn=config database as well.
So for your back-mdb database, what one would expect is more something like:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu"
write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {2}to * by * read
well, at first look it works - many thanks again.
I'll check it all config tomorrow.
Regards,
a.
1:45 a.m.
New subject: Admin roles by group membership per OU
Hi all,
On Thu, Oct 12, 2017 at 11:06:00AM -0700, Quanah Gibson-Mount wrote:
So for your back-mdb database, what one would expect is more something like:
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu"
write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {2}to * by * read
now the rules are:
dn: olcDatabase={1}mdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by
dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * none
olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self
write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu"
write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read
olcAccess: {2}to * by * read
and a member of cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu
can modify any attributes at any users under the ou=ABC Customer,
EXCEPT the userPassword - when I want to modify that, I get
permission error:
ldap_modify: Insufficient access (50)
Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: result not in cache
(userPassword)
Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: delete access to
"uid=abc_airween,ou=ABC Customer,dc=core,dc=hdt,dc=hu" "userPassword"
requested
Oct 16 10:42:05 open-ldap slapd[31421]: => acl_get: [1] attr userPassword
Oct 16 10:42:05 open-ldap slapd[31421]: => acl_mask: access to entry
"uid=abc_airween,ou=ABC Customer,dc=core,dc=hdt,dc=hu", attr
"userPassword" requested
Oct 16 10:42:05 open-ldap slapd[31421]: => acl_mask: to all values by
"uid=abc_user1,ou=abc customer,dc=core,dc=hdt,dc=hu", (=0)
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: self
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: anonymous
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat:
uid=repuser,dc=core,dc=hdt,dc=hu
Oct 16 10:42:05 open-ldap slapd[31421]: <= check a_dn_pat: *
Oct 16 10:42:05 open-ldap slapd[31421]: <= acl_mask: [4] applying none(=0) (stop)
Oct 16 10:42:05 open-ldap slapd[31421]: <= acl_mask: [4] mask: none(=0)
Oct 16 10:42:05 open-ldap slapd[31421]: => slap_access_allowed: delete access denied by
none(=0)
Oct 16 10:42:05 open-ldap slapd[31421]: => access_allowed: no more rules
How can I combine the attrs and group permissions? Should I list
all attributes in rule?
Thanks,
a.
2241
days inactive
2245
days old
openldap-technical@openldap.org
2 comments
2 participants
participants (2)
-
Ervin Hegedüs -
Quanah Gibson-Mount