On Tue, Jan 12, 2016 at 2:47 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Tuesday, January 12, 2016 2:38 PM -0500 Katherine Faella kmf@uri.edu wrote:
Which is where I am having trouble. I believe that deleting the {0}
element should keep the {1} and move it up to the correct position.
I do this extensively, and it works fine. What OpenLDAP release are you on?
--Quanah
I was afraid you were going to ask that. We are running the Redhat 6 supported 2.4.40-7.el6_7. We have a policy here of sticking with the redhat supported releases of packages since our staff is so small.
I really need to resolve this for an important project here. Of course the project is behind schedule and I am left with little time to get my stuff working. I was hoping my syntax was just incorrect. The only other way I can image fixing this is to revert to slapd.conf ....
I guess the good news is that my steps and syntax look okay to you. If you have any other thoughts I would happily accept them.
Thanks, Kathy
--On Tuesday, January 12, 2016 2:55 PM -0500 Katherine Faella kmf@uri.edu wrote:
Hi Kathy,
I was afraid you were going to ask that. We are running the Redhat 6 supported 2.4.40-7.el6_7. We have a policy here of sticking with the redhat supported releases of packages since our staff is so small.
Extremely ill advised for a number of reasons. I'd suggest using the LTB project software instead, since it actually links to secure TLS software. 2.4.40 had some serious bugs as well. You can set up the LTB software via their YUM repository.
http://ltb-project.org/wiki/download#openldap http://ltb-project.org/wiki/documentation/openldap-rpm#yum_repository
I really need to resolve this for an important project here. Of course the project is behind schedule and I am left with little time to get my stuff working. I was hoping my syntax was just incorrect. The only other way I can image fixing this is to revert to slapd.conf ....
I guess the good news is that my steps and syntax look okay to you. If you have any other thoughts I would happily accept them.
Just tested, and can confirm it works correctly for me:
[zimbra@zre-ldap003 ~]$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w 8utM5cM7v0 -b "olcDatabase={2}mdb,cn=config" -s base olcAccess dn: olcDatabase={2}mdb,cn=config olcAccess: {0}to attrs=userPassword by anonymous auth by dn.children="cn=adm ins,cn=zimbra" write olcAccess: {1}to dn.subtree="cn=zimbra" by dn.children="cn=admins,cn=zimbra" write olcAccess: {2}to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by dn.children="cn=admi ns,cn=zimbra" write by * none olcAccess: {3}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmam avis,cn=appaccts,cn=zimbra" read by users read by * none olcAccess: {4}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra" wr ite by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {5}to attrs=mail by dn.children="cn=admins,cn=zimbra" write by dn .base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {6}to attrs=zimbraAllowFromAddress,DKIMIdentity,DKIMSelector,DKIMDo main,DKIMKey by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmp ostfix,cn=appaccts,cn=zimbra" read by * none olcAccess: {7}to filter="(!(zimbraHideInGal=TRUE))" attrs=cn,co,company,dc,di splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal Code,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mob ile,userCertificate by dn.children="cn=admins,cn=zimbra" write by dn.base=" uid=zmpostfix,cn=appaccts,cn=zimbra" read by users read by * none olcAccess: {8}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv eryDisabled,member,memberURL,zimbraMemberOf by dn.children="cn=admins,cn=zim bra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base ="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none olcAccess: {9}to dn.subtree="cn=groups,cn=zimbra" attrs=zimbraMailAlias,member ,zimbraMailStatus,entry by dn.children="cn=admins,cn=zimbra" write by dn.ba se="uid=zmpostfix,cn=appaccts,cn=zimbra" read olcAccess: {10}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
[zimbra@zre-ldap003 ~]$ cat /tmp/access-del.ldif dn: olcDatabase={2}mdb,cn=config changetype: modify delete: olcAccess olcAccess: {0}
[zimbra@zre-ldap003 ~]$ ldapmodify -x -H ldapi:/// -D cn=config -w 8utM5cM7v0 -f /tmp/access-del.ldif modifying entry "olcDatabase={2}mdb,cn=config"
[zimbra@zre-ldap003 ~]$
[zimbra@zre-ldap003 ~]$ ldapsearch -x -LLL -H ldapi:/// -D cn=config -w 8utM5cM7v0 -b "olcDatabase={2}mdb,cn=config" -s base olcAccess dn: olcDatabase={2}mdb,cn=config olcAccess: {0}to dn.subtree="cn=zimbra" by dn.children="cn=admins,cn=zimbra" write olcAccess: {1}to attrs=zimbraZimletUserProperties,zimbraGalLdapBindPassword,zi mbraGalLdapBindDn,zimbraAuthTokenKey,zimbraPreAuthKey,zimbraPasswordHistory,z imbraIsAdminAccount,zimbraAuthLdapSearchBindPassword by dn.children="cn=admi ns,cn=zimbra" write by * none olcAccess: {2}to attrs=objectclass by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base="uid=zmam avis,cn=appaccts,cn=zimbra" read by users read by * none olcAccess: {3}to attrs=@amavisAccount by dn.children="cn=admins,cn=zimbra" wr ite by dn.base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {4}to attrs=mail by dn.children="cn=admins,cn=zimbra" write by dn .base="uid=zmamavis,cn=appaccts,cn=zimbra" read by * +0 break olcAccess: {5}to attrs=zimbraAllowFromAddress,DKIMIdentity,DKIMSelector,DKIMDo main,DKIMKey by dn.children="cn=admins,cn=zimbra" write by dn.base="uid=zmp ostfix,cn=appaccts,cn=zimbra" read by * none olcAccess: {6}to filter="(!(zimbraHideInGal=TRUE))" attrs=cn,co,company,dc,di splayName,givenName,gn,initials,l,mail,o,ou,physicalDeliveryOfficeName,postal Code,sn,st,street,streetAddress,telephoneNumber,title,uid,homePhone,pager,mob ile,userCertificate by dn.children="cn=admins,cn=zimbra" write by dn.base=" uid=zmpostfix,cn=appaccts,cn=zimbra" read by users read by * none olcAccess: {7}to attrs=zimbraId,zimbraMailAddress,zimbraMailAlias,zimbraMailCa nonicalAddress,zimbraMailCatchAllAddress,zimbraMailCatchAllCanonicalAddress,z imbraMailCatchAllForwardingAddress,zimbraMailDeliveryAddress,zimbraMailForwar dingAddress,zimbraPrefMailForwardingAddress,zimbraMailHost,zimbraMailStatus,z imbraMailTransport,zimbraDomainName,zimbraDomainType,zimbraPrefMailLocalDeliv eryDisabled,member,memberURL,zimbraMemberOf by dn.children="cn=admins,cn=zim bra" write by dn.base="uid=zmpostfix,cn=appaccts,cn=zimbra" read by dn.base ="uid=zmamavis,cn=appaccts,cn=zimbra" read by * none olcAccess: {8}to dn.subtree="cn=groups,cn=zimbra" attrs=zimbraMailAlias,member ,zimbraMailStatus,entry by dn.children="cn=admins,cn=zimbra" write by dn.ba se="uid=zmpostfix,cn=appaccts,cn=zimbra" read olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
--Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
--On Tuesday, January 12, 2016 2:55 PM -0500 Katherine Faella kmf@uri.edu wrote:
I was afraid you were going to ask that. We are running the Redhat 6 supported 2.4.40-7.el6_7. We have a policy here of sticking with the redhat supported releases of packages since our staff is so small.
Unfortunately, that is a very flawed policy. In addition to 2.4.40 being a problematic release, RedHat links OpenLDAP to insecure and buggy SSL libraries (MozNSS). Thankfully, RH has dropped this approach for the future, but folks are still stuck with it for now. Also, RedHat generally will not truly offer you support on the OpenLDAP they ship. Issues that arise by using their packages should be directed to RedHat support, but good luck getting a resolution.
If you're unable to build and deploy OpenLDAP on your own, then you may be interested in the LTB project packages, which are linked to OpenSSL and are kept current. They provide both RHEL and Debian/Ubuntu repositories.
Finally, if you require support for your OpenLDAP deployment, then it's generally best to run the Symas builds of OpenLDAP and have a support contract with them.
As for the ACL issue in question here, I can confirm it works as designed in my deployments.
Regards, Quanah
--
Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration A division of Synacor, Inc
openldap-technical@openldap.org
-
Katherine Faella -
Quanah Gibson-Mount